automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)

Jason Harris
Sat Oct 26 23:13:02 2002

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 25, 2002 at 07:22:46PM -0400, David Shaw wrote:
> On Fri, Oct 25, 2002 at 07:09:42PM -0400, Jason Harris wrote:

> > Instead of trying to keep track of PGP keys making userid certifications
> > in automated systems, would a new signature class (0x14 - email address
> > verified via challenge/response) be advisable?  I've already issued
> > a few 0x12 (casually checked) signatures instead of 0x13 (carefully
> > checked) signatures to handle this situation...
> I'd rather use 0x11, as a new signature class would have a serious
> backwards compatibility problem.  0x11 is pretty good for this
> purpose.

[RFC wording]
"0x11: Persona certification of a User ID and Public Key packet.
The issuer of this certification has not done any verification
of the claim that the owner of this key is the user ID

So a 0x11 signature really means that a person's first and last name,
if given, weren't verified (against a photo ID), but the rest of the
signed (hashed) data in the (public key and userid) packet(s) is being
certified, right?

Thank you for pointing this out.

[GPG wording]
"How carefully have you verified the key you are about to sign actually bel=
to the person named above?  If you don't know what to answer, enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking."

This wording throws me off though.  I feel that I have verified something
when I'm certifying an email <-> key connection, whether or not a first
and last name ("person named above") are given in the userid packet.

Jason Harris          | NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it? | web:

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.0 (FreeBSD)