Signing photo IDs (was Re: SHA-1 recommendations)

David Shaw dshaw at
Mon May 18 19:09:48 CEST 2009

(Split off from the earlier thread, as the topic has drifted)

On May 18, 2009, at 11:14 AM, Daniel Kahn Gillmor wrote:

>> Incidentally, I don't sign photo IDs.  It has nothing to do with this
>> theoretical attack - a photo ID does not make a statement that I am
>> willing to certify.
> I've always assumed that a User Attribute of a jpeg is semantically
> interpreted as a visual representation of the keyholder, by analogy to
> the photo in a passport, driver's license, or other official
> documentation.  It basically says "<so-and-so> looks like this:".   
> This
> can change a fair amount (hair changes, age, accidents, body
> modifications, odd lighting, etc make images far more fluid than UTF-8
> name designations), so I can understand not being willing to make a
> long-lived certification like this.  But i don't think it invalidates
> the concept.

I'm not saying the concept is invalid.  Just that I personally don't  
find it compelling enough to sign.

A user ID string says at least two useful things about the keyholder:  
a) their real-world name, and b) how they can be reached (i.e. their  
email).  Many people don't bother to check (b), which I find silly -  
taking some non-zero effort to verify the first half of the user ID  
(by looking at drivers licenses, etc) but no effort at all to check  
the second half?  A photo is a different sort of thing altogether.   
While a name+email makes a reasonably strong binding between a real  
person and a key, a photo doesn't.  That would be certifying them (and  
in practice making their key become valid) because I think they  
resemble a photo.

> (as an aside, this does make me particularly wary of people who sign
> photo IDs like the one attached to F1530A35)

Maybe he really does look like that...


More information about the Gnupg-devel mailing list