key fingerprints - a practice question

David Shaw dshaw at jabberwocky.com
Tue Jul 29 03:33:19 CEST 2003 

On Mon, Jul 28, 2003 at 07:57:46AM -0400, John A. Martin wrote:
> >>>>> "Adrian" == Adrian von Bidder
> >>>>> "Re: key fingerprints - a practice question"
> >>>>>  Mon, 28 Jul 2003 10:20:47 +0200
> 
>     Adrian> for 'I send this encrypted mail to the same guy who always
>     Adrian> posts on this mailing list' sort of identification, it
>     Adrian> suffices - especially since there is no need to really
>     Adrian> identify the person behind the mail address, it's only
>     Adrian> important that it's the same person.
> 
>     Adrian> Hope you get what I mean
> 
> That seems to be an extraordinary difficult concept for many folks to
> grasp.
> 
> When the 'persona' first appeared I thought it would solidify the
> notion of a network identity without necessarily a connection to
> the real world.  I must have been mistaken for it seems that the
> notion of a 'persona' is employed differently than that.
> 
> I am not sure what is to be understood by _persona_ in the PGP
> context.  Would someone care to enlighten me?

2440 defines persona signatures as:

       The issuer of this certification has not done any verification
       of the claim that the owner of this key is the User ID
       specified. 

1991 defines it even better as "This key was created by someone who
has told me that he is this user".

The real world situation is unfortunately a little more complex.  All
current PGP-like programs treat persona signatures (as well as the
related "casual" and "positive" signatures) the same as they treat a
generic key signature.  Since a persona signature have the same weight
as a positive signature, that breaks the traditional web of trust in
that spot.

It is possible to make a new trust model where persona signatures are
treated differently... but then we still have to consider the (large)
existing installed software base that would still give those
signatures full weight.  Plus, even if GnuPG supported such a thing,
PGP likely wouldn't, thus skewing the interpretation of a signature.

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 268 bytes
Desc: not available
Url : /pipermail/attachments/20030729/24cc6033/attachment.bin

More information about the Gnupg-devel mailing list