re. Moving from PGP to GnuPG and other questions ...
Jeff Fisher
jeff+gnupg at jeffenstein.org
Thu Apr 29 19:11:41 CEST 2004
On Thu, Apr 29, 2004 at 09:30:04AM -0400, Dennis Lambe Jr. wrote:
>
> You have downloaded Lewis Powell's key (72007281), and then signed it
> (after duly verifying that it actually belongs to him via, for example,
> meeting him at a key-signing party and personally checking his
> government-issued ID and his key fingerprint). You know Lewis, and you
> know that he will only sign a key if he has made sure that it belongs to
> the person it says it does, so you've assigned him full trust (4).
This is where my confusion comes from with signing keys... Yes, I can sign the
key for Lewis Powell, after verifying that it is indeed a Lewis Powell that
owns the key.
However, a google search for "Lewis Powell" returns about 8,000 hits,
including a Supreme Court justice, a criminal on death row, and a "Lewis
Powell" award (and the few more I'll add by putting his name in this e-mail).
I can safely assume he's not the one in jail, but he could be one of hundreds.
Which "Jeff Fisher" am I? The one running for Congress in Florida, the american
football coach, or yet another one?
The reality is that his name, which is the identifying information everybody
stresses, is far from unique. Yes, there may be only a handful of these
"Lewis Powell"s that use pgp, but that is relying on chance more than
anything.
There is also the e-mail address in the user id field, which should be unique
and relatively constant, but little or none of the information on signing keys
mentions verifying that the e-mail address is actually this person. Yes, it's
possible that someone else will take that e-mail address, but if several
e-mail addresses are listed on the key, you can be relatively sure that you
can still reach the person.
So, (finally), the question is, in practice what's the use of verifying only
the name of the person before signing their key?
Personally, I've only signed the keys of people I know personally. However,
after a bit of thought, this gives me pause to sign anybody else's key with or
without a passport, or reason to sign keys based on only e-mail correspondence.
--
jeff at jeffenstein.org http://www.jeffenstein.org/
Reality is that which, when you stop believing in it, doesn't go away.
-- Philip K. Dick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 793 bytes
Desc: not available
Url : /pipermail/attachments/20040429/c42b3271/attachment.bin
More information about the Gnupg-users
mailing list