[wellylug] Meeting next week (GPG Key signing)
Michael Fincham
michael at hotplate.co.nz
Sun Jun 15 00:40:37 NZST 2014
Hi Richard,
On Sat, 14 Jun 2014 11:31:39 +1200, Richard Hector wrote:
> On 14/06/14 01:31, Michael Fincham wrote:
> > I'm happy to sign keys for people with or without ID (though I'll
> > ascribe trust accordingly).
>
> That's an interesting point. My understanding is that there are 2
> things you can assert here.
>
> 1) I am confident that this person is who they say they are
> 2) I trust this person to be honest, including making good decisions
> re point 1.
I like to think of it more as verifying that "the person who owns the key is this person I am meeting now", with the added bonus that if they have a hard-to-forge ID document with them, maybe they're
also who they claim to be :) I'm not an expert in detecting forged documents, so really seeing someone's ID is hard to give a clear value to (though I've seen plenty of peoples IDs in order to sign
their keys, and nobody's given me a clearly bogus document yet either!).
Further, given the risk of identity theft, I don't feel like I can be in the business of demanding that others show me all their juicy ID details when they may have only just met
me :) I've been known to (for instance at the Kiwicon 7 signing party) cover up my DOB and licence number on my driver's licence when using it for this purpose.
[...]
> But I'd urge you to rethink, and consider your position on id-checking
> for the implications on your reputation that it has.
>
> This is all as I understand the system - I may well have got bits of
> it wrong, and am always happy to be educated.
Given the above, GnuPG actually allows for specifying some metadata around what identity verifications you've undertaken when you grant with a signature, and this is roughly the process I follow when
choosing a "certification level" on a new signature (from `man 1 gpg'):
0 means you make no particular claim as to how carefully you
verified the key.
1 means you believe the key is owned by the person who claims to
own it but you could not, or did not verify the key at all. This
is useful for a "persona" verification, where you sign the key
of a pseudonymous user.
2 means you did casual verification of the key. For example,
this could mean that you verified the key fingerprint and
checked the user ID on the key against a photo ID.
3 means you did extensive verification of the key. For example,
this could mean that you verified the key fingerprint with the
owner of the key in person, and that you checked, by means of a
hard to forge document with a photo ID (such as a passport) that
the name of the key owner matches the name in the user ID on the
key, and finally that you verified (by exchange of email) that
the email address on the key belongs to the key owner.
There is a caveat here, as the man page goes on to say:
Note that the examples given above for levels 2 and 3 are just
that: examples. In the end, it is up to you to decide just what
"casual" and "extensive" mean to you.
This option defaults to 0 (no particular claim).
How you ascribe meaning to the various levels is not necessarily well defined outside of your own personal WoT. I would suspect that more or less everyone participating in the public keyserver WoT
uses roughly what the man page describes here, though.
Some people chose to publicise a "signing policy" with their own particular interpretation, but I don't really grok how common or useful this is. I've only seen it a few times, personally.
--
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20140615/5c2a8ae0/attachment.pgp>
More information about the wellylug
mailing list