automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)
Sat Oct 26 23:13:02 2002
Content-Type: text/plain; charset=us-ascii
On Fri, Oct 25, 2002 at 07:22:46PM -0400, David Shaw wrote:
> On Fri, Oct 25, 2002 at 07:09:42PM -0400, Jason Harris wrote:
> > Instead of trying to keep track of PGP keys making userid certifications
> > in automated systems, would a new signature class (0x14 - email address
> > verified via challenge/response) be advisable? I've already issued
> > a few 0x12 (casually checked) signatures instead of 0x13 (carefully
> > checked) signatures to handle this situation...
> I'd rather use 0x11, as a new signature class would have a serious
> backwards compatibility problem. 0x11 is pretty good for this
"0x11: Persona certification of a User ID and Public Key packet.
The issuer of this certification has not done any verification
of the claim that the owner of this key is the user ID
So a 0x11 signature really means that a person's first and last name,
if given, weren't verified (against a photo ID), but the rest of the
signed (hashed) data in the (public key and userid) packet(s) is being
Thank you for pointing this out.
"How carefully have you verified the key you are about to sign actually bel=
to the person named above? If you don't know what to answer, enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking."
This wording throws me off though. I feel that I have verified something
when I'm certifying an email <-> key connection, whether or not a first
and last name ("person named above") are given in the userid packet.
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
email@example.com | web: http://jharris.cjb.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (FreeBSD)
-----END PGP SIGNATURE-----