Why CAs or public keysigning?
Thu Jun 19 03:08:02 2003
On Wednesday 18 June 2003 18:53, David Shaw wrote:
> On Wed, Jun 18, 2003 at 12:22:25PM -0400, Dennis Lambe Jr. wrote:
> > Without the WoT, I could be anyone. With the WoT, I could be
> > anyone named Dennis Lambe Jr. The WoT does not completely
> > eliminate the problem of misrepresentation, but it makes it
> > millions of times less likely.
> It's even better than that: you're not just anyone named Dennis Lambe
> Jr - you're anyone named Dennis Lambe Jr with a particular email
> address. Including an email addresses (with few exceptions like
> shared or role accounts) very effectively elimiates nearly all
> possible name duplications.
> It is true that many signers do not take the time to verify an email
> address when signing. This is unfortunate.
"many" is an understatement. My experience is that most signers do not=20
verify email addresses. My primary uid was signed by 58 persons. Only 3=20
or 4 of the signers also verified my email addresses. (FWIW, I verify=20
all email addresses.) This wouldn't be a problem if those signers that=20
didn't verify my email addresses wouldn't have given their signature=20
the highest possible rating 3. But some of them did. So it's not=20
possible to distinguish really good signatures from not so good=20
Even worth is that 2 or 3 signatures on my key are from people that=20
never checked my ID. But that's another problem.
To prevent overrated signatures I suggest to change
(2) I have done casual checking.
(3) I have done very careful checking.
(2) I have checked the identity of this person.
(3) I have checked the identity and the email address of this person.
Alternatively (instead of changing the description of the existing=20
(4) I have done very careful checking and I even verified the email=20
Of course we can't hinder people from overrating their signatures. But=20
the above wording would make it more obvious that just checking the=20
identity is not enough for a high-rated signature. I'm convinced that=20
most people that overrated their signatures did so because they thought=20
that carefully checking the identity of the key owner would be enough=20
for a level 3 signature. IMO it's not enough.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
-----END PGP SIGNATURE-----