[wellylug] Meeting next week (GPG Key signing)

Richard Hector richard at walnut.gen.nz
Sun Jun 15 02:44:33 NZST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15/06/14 00:40, Michael Fincham wrote:
> Given the above, GnuPG actually allows for specifying some
> metadata around what identity verifications you've undertaken when
> you grant with a signature, and this is roughly the process I
> follow when choosing a "certification level" on a new signature
> (from `man 1 gpg'):
> 
> 0 means you make no particular claim as  to  how  carefully  you 
> verified the key.
> 
> 1 means you believe the key is owned by the person who claims to 
> own it but you could not, or did not verify the key at all. This
> is useful  for a "persona" verification, where you sign the key of
> a pseudonymous user.
> 
> 2 means you did casual verification of  the  key.  For  example, 
> this  could  mean  that  you  verified  the  key fingerprint and 
> checked the user ID on the key against a photo ID.
> 
> 3 means you did extensive verification of the key. For  example, 
> this  could  mean that you verified the key fingerprint with the 
> owner of the key in person, and that you checked, by means of  a 
> hard to forge document with a photo ID (such as a passport) that 
> the name of the key owner matches the name in the user ID on the 
> key,  and  finally that you verified (by exchange of email) that 
> the email address on the key belongs to the key owner.

Interesting. Looking at --list-sigs for my key, I can see that all are
level 0 except my own signatures on my own key, which are level 3.
That makes sense, I guess.

The bit that seems more alarming is this bit from the manpage:
- --min-cert-level
  When  building  the  trust database, treat any signatures with a
  certification level below this as invalid. Defaults to 2,  which
  disregards  level 1 signatures. Note that level 0 "no particular
  claim" signatures are always accepted.

That seems to imply that I have to always trust the default level 0
signatures, despite them being the least trustworthy. Or am I reading
that wrong?

Richard

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQEcBAEBAgAGBQJTnF/JAAoJELSi8I/scBaN6iUIAKs81PQvsiLPgcCPLMZ4Fw43
nm7COpGFKZwTGyNUHoCyGJUExLPu0Np+EVxNUJG2QAjHAjIJEUD8hTxnlcXhrwJj
p+a6/0fmPrCrNBH8MOBD8O62UCgz6VVFXhLszQbfXZeuMIBtLo6Xt7vL6f0JRAQY
/wEwgP43a3eDh6CKlTAr+CE5R3a1T5xN4+v3NcmkrfkV7jjxHNX0Ap00WW7hlCFf
jtg8MyEHv7NKhONKm43loNI+FKzdqmpSjFYYvYJqUAbKbtuCmqYvWe6xILVxE6ix
ihh9fXoOGetGU03oMYhtZQweKqFxW1W1pvieYvT2Nqe0oyT3RWFM8PTtkVCHo0Y=
=bAJv
-----END PGP SIGNATURE-----

More information about the wellylug mailing list