[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG USAGE HOWTO 1 (was: Re: AM report on Thierry Bourrillon)

Lenart Janos wrote:
  >> When I sign a key I confirm than
  >>  o  a person showing me a photo ID (passport, etc..) has claimed that
  >>     this key (with fingerprint etc) is their key,
  >>  o  the Name on the photo ID matches the name on the key user id
  >>  o  the person can receive and read mail at all mailboxes I sign.
  >> I used to check whether the person actually owns the secret key too
  >> but don't do this any longer.
  >Everyone should do these. Guys, take those keys seriously, please :)

Not so; this is not practical.

Consider the common method of keysigning; someone gives you a slip showing the
key id and shows you his personal id.  You can verify that the id belongs to 
person you are talking to and you know that that person is asserting that
the key on the slip is his.  If you test the email address(es) it will be
at a later time, and it is impossible for you to verify that the person you
talked to is the one who is operating that address.  The most you can actually
know is that someone who knows the secret key is operating it, which is
redundant information, seeing that the secret key was necessary to put that
address into the key in the first place.

The email addresses are relatively unimportant, because all the key actually
guarantees is that someone who knows the secret key is using it.  It does not
guarantee that a message comes from the email address in the key.

Oliver Elphick                                Oliver.Elphick@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47  6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
     "But as many as received him, to them gave he power to 
      become the sons of God, even to them that believe on 
      his name."    John 1:12 

Reply to: