Why CAs or public keysigning?

Ingo Klöcker ingo.kloecker@epost.de
Thu Jun 19 03:08:02 2003 

--Boundary-02=_bqP8+Mr8t7FobPz
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 18 June 2003 18:53, David Shaw wrote:
> On Wed, Jun 18, 2003 at 12:22:25PM -0400, Dennis Lambe Jr. wrote:
> > Without the WoT, I could be anyone.  With the WoT, I could be
> > anyone named Dennis Lambe Jr.  The WoT does not completely
> > eliminate the problem of misrepresentation, but it makes it
> > millions of times less likely.
>
> It's even better than that: you're not just anyone named Dennis Lambe
> Jr - you're anyone named Dennis Lambe Jr with a particular email
> address.  Including an email addresses (with few exceptions like
> shared or role accounts) very effectively elimiates nearly all
> possible name duplications.
>
> It is true that many signers do not take the time to verify an email
> address when signing.  This is unfortunate.

"many" is an understatement. My experience is that most signers do not=20
verify email addresses. My primary uid was signed by 58 persons. Only 3=20
or 4 of the signers also verified my email addresses. (FWIW, I verify=20
all email addresses.) This wouldn't be a problem if those signers that=20
didn't verify my email addresses wouldn't have given their signature=20
the highest possible rating 3. But some of them did. So it's not=20
possible to distinguish really good signatures from not so good=20
signatures.

Even worth is that 2 or 3 signatures on my key are from people that=20
never checked my ID. But that's another problem.

To prevent overrated signatures I suggest to change
   (2) I have done casual checking.
   (3) I have done very careful checking.
to
   (2) I have checked the identity of this person.
   (3) I have checked the identity and the email address of this person.

Alternatively (instead of changing the description of the existing=20
grades) add
   (4) I have done very careful checking and I even verified the email=20
addresses.

Of course we can't hinder people from overrating their signatures. But=20
the above wording would make it more obvious that just checking the=20
identity is not enough for a high-rated signature. I'm convinced that=20
most people that overrated their signatures did so because they thought=20
that carefully checking the identity of the key owner would be enough=20
for a level 3 signature. IMO it's not enough.

Regards,
Ingo


--Boundary-02=_bqP8+Mr8t7FobPz
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA+8PqbGnR+RTDgudgRApxQAKCjxR7Rs3Z65/GWg3cdnGQPSwaNHwCfQMD5
m65Wwd50k/GB60CefIgE8SY=
=8Lm7
-----END PGP SIGNATURE-----

--Boundary-02=_bqP8+Mr8t7FobPz--