Third party information (was: Semi-automated trust, policy)
Huels, Ralf SCORE
Tue Dec 10 08:10:02 2002
Michael Nahrath wrote:
> > If I look up keys with that email address and find one
> > that's robot-verified, I may feel confident enough to
> > sign it myself based on that.
> If you do silly things like this, the whole system of signing
> in person gets worthless.
Quite agree, quite agree, but...
> NEVER SIGN A KEY BASED UPON OTHER PEOPLE'S SIGNINGS !
> Even if my key had signature from each regular of this list
> you should not
> sign my key if you have not personally checked that I am I.
..this sends me off on a tangent. What if I *did* check this
but need to establish whether I have the correct key?
The case at hand might be slightly pathological but recently
I attended a key signing and checked a person's ID. The guy
(incidentally, a reader of this list) gave me the usual paper
slip with key information. When I took this out at home to
sign his key I found that while the key ID, date and some
UIDs were there, the Fingerprint was missing. Apparently
he had prepared the material in a hurry and used a printout
that didn't have the fingerprint.
I of course had only checked the name fields in the UIDs
against his ID and the question of a fingerprint didn't
concern me during the meeting.
I chose not to sign this key even though it carries a
signature of one of my trusted introducers, the holder of
the secret key could describe the location of the event in
encrypted communication and soon after the event my own
key was signed with that key.
So, I met this person, am sufficiently convinced of his
identity, he has claimed ownership of a well-signed key
and I still didn't sign it because he didn't list the
fingerprint in his claim of ownership.
Am I being overly paranoid? (Apart from the fact that this
might serve as a lesson to take more care when preparing
for a key signing ;-)