Driving licence as identification and accepting signed keys without exchanging encrypted data

Tony Whitmore tony at tonywhitmore.co.uk
Mon Jul 24 23:40:55 CEST 2006


David Shaw wrote:
> On Mon, Jul 24, 2006 at 09:50:22PM +0100, Tony Whitmore wrote:
>> First: Is a photo driving licence considered adequate identification?
>> I'm in the UK so we have UK / EU photo driving licences. I have
>> previously only used passports as ID, but some people were presenting
>> driving licences instead.
> 
> It depends on what *you* think.  Some people do accept driver licences
> as adequate identification.  Some don't.  I do, for what it's worth.

I understand there is a personal decision to be made here, and that I
have responsibility to be satisfied with the ID, but I don't know
whether there are good arguments for/against accepting photo driving
licences.

>> Second: I've already had back some e-mails, encrypted with my public
>> key, with signatures attached ready for me to upload to a keyserver. I
>> usually use the procedure described at [1], which requires the
>> additional verification of the encryption, exchange and decryption of a
>> random amount of text before signatures are sent. Obviously I have to be
>> able to decrypt the e-mail successfully to access the signature they
>> have sent me, but is this considered a safe and appropriate way to sign
>> keys?
> 
> No, it's not.  Some people do it, though.

:( I suppose I have the option of not uploading their signature to a
public keyserver, but presumably these people are damaging the web of
trust in signing keys in this way?

> Note that there is a difference between what page at
> http://www.hantslug.org.uk/cgi-bin/wiki.pl?LinuxHints/KeySigning says
> and what you say above.  The page (correctly) notes that all that is
> necessary is that the person *sign* the challenge before sending it
> back to you.  The page makes clear ("encrypted, if you like") that
> encryption is optional here, and adds little to what you are trying to
> prove.  It doesn't matter if other people can read the signed
> challenge or not.  Of course, it doesn't hurt to encrypt, so long as
> it is understood that it doesn't really help either.

Yes, I realise I didn't phrase my explanation very well. The procedure I
use is as described on the referenced web page. What should have been a
separate comment was in regard to the encrypted e-mails *I* have been
sent with signatures attached. In order to access the attached signature
file, I have to be able to decrypt the e-mail, meaning I have to have
access to my private key. If I don't have the private key, I can't
decrypt the e-mail and can't access the signature to upload it. This
seems to provide some sort of checking that the e-mail address ties up
with the public and private keys, but again I'd like to hear what other
people think.

> Take a look at the thread starting at
> http://lists.gnupg.org/pipermail/gnupg-users/2006-July/028949.html

Thank you, I will do so.

Tony

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20060724/af149f5d/signature.pgp


More information about the Gnupg-users mailing list