Why CAs or public keysigning?

CL Gilbert Lamont_Gilbert@RigidSoftware.com
Wed Jun 18 18:04:02 2003

Hash: SHA1

Peter L. Smilde wrote:
| The problem I stated was not: "Do I trust the signers of a key". For
| this problem I assume I DO TRUST the CA or at least some of the keyparty
| signers. So I believe they have checked the ID of the person carefully.
| My problem is different: even WHEN I trust that they have checked a
| person, I cannot be sure that they checked the person I want to
| communicate with. This problem occurs as soon as duplicate names are
| possible.
| A CA that convinces me to sign only completely (or very likely) unique
| UIDs (even unique for persons that are not yet registered by the CA,
| otherwise I might send my secrets to the registered person, although I
| expected to send it to the unregistered one) is OK, but most
| (OpenPGP-)CAs don't make such statements.
| --
| Peter L. Smilde
| Budenheim, Germany

The CA needs to produce for you the material they used to authenticate
the user in question.  If they do not, then you have no way to identify
the person.  What you need is a personal meeting.

For me, if you will only ever communicate on the computer, then a
computer authentication should be all you ever need.  if you intend to
make a personal meeting, then you need to authenticate the human person
to the computer user.  If you plan to have phone communication then you
need to authenticate the phone number to the computer user.  This is all
easy by simply receiving a signed email from the computer user with a
picture and a phone number in it.

Note PGP does not help you trust the person you are dealing with, it
only helps you to authenticate them to a standard <b>you</b> must
initially set.

Gnupg-users mailing list

- --
Thank you,

CL Gilbert
Free Java interface to Freechess.org
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16

GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD  19AE 55B2 4CD7 80D2 0A2D
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org