Recommendations for handling (multiple) user IDs - personal and company ones

Sat Jun 8 21:21:17 CEST 2013

Am Sa 08.06.2013, 13:03:06 schrieb Daniel Kahn Gillmor:

> fwiw, some people might not be comfortable certifying a User ID
> ("signing a key") with such a comment,

Crypto is NOT about comfort but about security. The point is: Does a 
certification make sense? Most certifications I see do not.

They come without a certification level, without a policy URL, usually have no 
(especially not a reliably signed) key policy and are usually not made by 
offline main keys (or similar). In the end: more or less worthless. The WoT in 
its current form is occupational therapy for people who refuse to do crypto 
right (or rather: don't know what that means).

> since it is not actually a part of the user's identity.

Who cares? The question is: Does such a UID make the key better (with or 
without the WoT)? And if the answer is "It does", who would dare argue against 
that with the vague definition from the RfC?

A comment may be a statement about the function of the key owner in an 
organization and thus is an important part of the identity. This is explicitly 
intended by signature law! Such a comment should be certified by the 
organization's certification key only. That it does not make sense that 
everyone signs a comment does not make the comment useless or bad in any way.

> How is an OpenPGP certifier supposed to
> validate the correctness of this comment?

You have to read the comment statement and its certification right. It 
obviously doesn't mean "I have checked that this is true" as everybody 
immediately understands that it is not possible for the certifier to check 
this. Instead it means: "I testify to it that the key owner makes this 
statement about the certified key." And statements about keys are damn 
important. You cannot do secure crypto without them.

You are right insofar as in a perfect world this information might better be 
placed elsewhere (standardized, machine readable signature notations). But in 
this world and this time not even policy URLs are shown by default. Thus for 
maybe the next five years it is definitely a good idea to put the most 
important information about a key into a UID.

> https://www.debian-administration.org/users/dkg/weblog/97

Sorry but the example you use on that page is ridiculous. It doesn't prove 
anything about UID comments except for the trivial fact that it is possible to 
use them for ridiculous purposes. You really should not leave that online.

If someone makes a statement about the security of his key and decides to 
change this statement for the same key (no matter in which direction) that 
would be self-sabotage. Stupid behaviour but not nearly an argument against 
statements about key security. And such statements are useless if they are not 
certified. It would make sense that the certifier demands that statement on 
paper with a manual signature.

Hauke
-- 
☺
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-courses.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130608/2d39b136/attachment-0001.sig>