automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)

David Shaw
Sun Oct 27 03:57:01 2002

On Sat, Oct 26, 2002 at 05:13:55PM -0400, Jason Harris wrote:
> On Fri, Oct 25, 2002 at 07:22:46PM -0400, David Shaw wrote:
> > On Fri, Oct 25, 2002 at 07:09:42PM -0400, Jason Harris wrote:
> > > Instead of trying to keep track of PGP keys making userid certifications
> > > in automated systems, would a new signature class (0x14 - email address
> > > verified via challenge/response) be advisable?  I've already issued
> > > a few 0x12 (casually checked) signatures instead of 0x13 (carefully
> > > checked) signatures to handle this situation...
> > 
> > I'd rather use 0x11, as a new signature class would have a serious
> > backwards compatibility problem.  0x11 is pretty good for this
> > purpose.
> [RFC wording]
> "0x11: Persona certification of a User ID and Public Key packet.
> The issuer of this certification has not done any verification
> of the claim that the owner of this key is the user ID
> specified."
> So a 0x11 signature really means that a person's first and last name,
> if given, weren't verified (against a photo ID), but the rest of the
> signed (hashed) data in the (public key and userid) packet(s) is being
> certified, right?

It means only what it says.  It's a semantic difference, not a
functional difference.  The user ID is being certified, because there
is a signature being made at all, but the semantic meaning of that
certification is "I'm making this signature, but I didn't check what
I'm certifying".  RFC-1991 defines it as "This key was created by
someone who has told me that he is this user" which is perhaps a
better way to look at it.

> [GPG wording]
> "How carefully have you verified the key you are about to sign actually belongs
> to the person named above?  If you don't know what to answer, enter "0".
>    (0) I will not answer. (default)
>    (1) I have not checked at all.
>    (2) I have done casual checking.
>    (3) I have done very careful checking."
> This wording throws me off though.  I feel that I have verified something
> when I'm certifying an email <-> key connection, whether or not a first
> and last name ("person named above") are given in the userid packet.

Yes.  However I think the 0x11 "I haven't checked", is closer to the
right value than the 0x12 "I casually checked".  It's all a matter of
the opinion of the *signer*, so it would be equally appropriate for it
to be a 0x13 - if the email checking robot considered checking email
"very careful" ;)


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson