Signing photo IDs (was Re: SHA-1 recommendations)

gerry_lowry (alliston ontario canada) gerry.lowry at
Mon May 18 20:38:43 CEST 2009

I think I"m agreeing with David Shaw.  My key has my photo.
I'm the male between the two pictures of the lawyer Gerry Lowry at
(assuming the Google images you see are in the same order as I see now;
 that can change because Google is fluid).

Problem is, since that picture was taken, I've lost weight.  Also, I've glasses
for reading and glasses for driving because I refuse to wear bifocals.  So I
may not look like my photo.  Add to that the ability of professional make up
artists to make people appear to be someone else and you get a bit of a
political thriller movie aspect to the whole picture thing.

Then, there's good old PhotoShop and similar software.  So a picture is just
not that reliable.  What a picture does add, however, is another layer to the
security onion.  While this makes the picture valuable, it is of lesser value
that a driver's license and a passport.  Of greatest value are real people
who are worthy of trust and actually have known you for a very long time.

Brief encounters at a key signing party are useful but are also of questionable value.

If I do not know you but I do know the person who signed your key and that person
knows you well and will vouch for you, therein is great value.

A worst case scenario is still possible:  Bob's doctor, lawyer, dentist, and member
of parliament have all signed Bob's key.  Bob has 616 additional signatures from
the 72 key signing parties that he's attended and hosted over the last 11.5 years.
The is no doubt that Bob's signature is valid.  Unfortunately, through the application
of rubber hose cryptanalysis, Bob has revealed all prior to being embedded in concrete
overshoes and sent to the bottom of a lake.


More information about the Gnupg-devel mailing list