automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)
David Shaw
dshaw@jabberwocky.com
Sun Oct 27 03:57:01 2002
On Sat, Oct 26, 2002 at 05:13:55PM -0400, Jason Harris wrote:
> On Fri, Oct 25, 2002 at 07:22:46PM -0400, David Shaw wrote:
> > On Fri, Oct 25, 2002 at 07:09:42PM -0400, Jason Harris wrote:
>
> > > Instead of trying to keep track of PGP keys making userid certifications
> > > in automated systems, would a new signature class (0x14 - email address
> > > verified via challenge/response) be advisable? I've already issued
> > > a few 0x12 (casually checked) signatures instead of 0x13 (carefully
> > > checked) signatures to handle this situation...
> >
> > I'd rather use 0x11, as a new signature class would have a serious
> > backwards compatibility problem. 0x11 is pretty good for this
> > purpose.
>
> [RFC wording]
> "0x11: Persona certification of a User ID and Public Key packet.
> The issuer of this certification has not done any verification
> of the claim that the owner of this key is the user ID
> specified."
>
> So a 0x11 signature really means that a person's first and last name,
> if given, weren't verified (against a photo ID), but the rest of the
> signed (hashed) data in the (public key and userid) packet(s) is being
> certified, right?
It means only what it says. It's a semantic difference, not a
functional difference. The user ID is being certified, because there
is a signature being made at all, but the semantic meaning of that
certification is "I'm making this signature, but I didn't check what
I'm certifying". RFC-1991 defines it as "This key was created by
someone who has told me that he is this user" which is perhaps a
better way to look at it.
> [GPG wording]
> "How carefully have you verified the key you are about to sign actually belongs
> to the person named above? If you don't know what to answer, enter "0".
>
> (0) I will not answer. (default)
> (1) I have not checked at all.
> (2) I have done casual checking.
> (3) I have done very careful checking."
>
> This wording throws me off though. I feel that I have verified something
> when I'm certifying an email <-> key connection, whether or not a first
> and last name ("person named above") are given in the userid packet.
Yes. However I think the 0x11 "I haven't checked", is closer to the
right value than the 0x12 "I casually checked". It's all a matter of
the opinion of the *signer*, so it would be equally appropriate for it
to be a 0x13 - if the email checking robot considered checking email
"very careful" ;)
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson