automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)

Jason Harris jharris@widomaker.com
Sat Oct 26 23:13:02 2002 

--tjCHc7DPkfUGtrlw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 25, 2002 at 07:22:46PM -0400, David Shaw wrote:
> On Fri, Oct 25, 2002 at 07:09:42PM -0400, Jason Harris wrote:

> > Instead of trying to keep track of PGP keys making userid certifications
> > in automated systems, would a new signature class (0x14 - email address
> > verified via challenge/response) be advisable?  I've already issued
> > a few 0x12 (casually checked) signatures instead of 0x13 (carefully
> > checked) signatures to handle this situation...
>=20
> I'd rather use 0x11, as a new signature class would have a serious
> backwards compatibility problem.  0x11 is pretty good for this
> purpose.

[RFC wording]
"0x11: Persona certification of a User ID and Public Key packet.
The issuer of this certification has not done any verification
of the claim that the owner of this key is the user ID
specified."

So a 0x11 signature really means that a person's first and last name,
if given, weren't verified (against a photo ID), but the rest of the
signed (hashed) data in the (public key and userid) packet(s) is being
certified, right?

Thank you for pointing this out.

[GPG wording]
"How carefully have you verified the key you are about to sign actually bel=
ongs
to the person named above?  If you don't know what to answer, enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking."

This wording throws me off though.  I feel that I have verified something
when I'm certifying an email <-> key connection, whether or not a first
and last name ("person named above") are given in the userid packet.

--=20
Jason Harris          | NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris@widomaker.com | web:  http://jharris.cjb.net/

--tjCHc7DPkfUGtrlw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (FreeBSD)

iD8DBQE9uwWRSypIl9OdoOMRAsJUAJ93Cv4GHL317PZ9uUFR3LTk8ZwYXQCfRD4r
3x78REaVXGCcnDmc9Lrqlfs=
=OGsX
-----END PGP SIGNATURE-----

--tjCHc7DPkfUGtrlw--