Why CAs or public keysigning?
Ingo Klöcker
ingo.kloecker@epost.de
Thu Jun 19 13:41:03 2003
--Boundary-02=_X7Z8+wQ58l+DSEV
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Thursday 19 June 2003 12:48, Peter L. Smilde wrote:
> 1: Again: I am not questioning trust in signatures! There ARE enough
> people and CAs I trust (although even some very well known
> GnuPG-persons and CAs explicitly state in their policy that they
> don't check email-adresses carefully). My problem is that even when
> they have done their work perfectly, I cannot check if the person
> they checked is the same person I want to communicate with.
If you know this person's email address and you have a key with this=20
email address which is signed by someone or a CA you trust then you've=20
won. But you knew this already.
You want to know how to find the correct key (or equivalently the=20
correct email address) of, let's say, a class mate that you last saw=20
twenty years ago. Which information do you have about this classmate?=20
Do you know where he works? Do you know his date of birth? Do you know=20
where he was born? All of this information can help you to find the=20
correct key provided that this information is contained in a user id.=20
But most people don't add their date and place of birth to a user id.=20
And therefore it's pretty much impossible to find out if the key you=20
found really belongs to the person you want to communicate with. The=20
WoT can't help you to find the right email address (and thus the right=20
key). You will have to find another way to check this. Some=20
possibilities:
1. Call all people who have the name you are looking for.
2. Write messages to all people who have the name you are looking for.
3. Hire a private investigator.
> 2: Many awnsers say: "When you really want need security, then you
> usually know your communication partner personally or you ask him for
> his fingerprint." That's right. But then I don't need the signature
> of the CA or the "public keysigner" anymore (this is case 1 of my
> original posting).
In this case you are right. But with the WoT you don't necessarily need=20
to have exchanged fingerprints with this person. It's enough to know=20
the person's email address and to know another trusted person who=20
checked the person's identity and (!) his email address. But as David=20
and I already wrote most signers don't check email addresses. So unless=20
you know that the trusted signer really checked the email address you=20
will have to phone the person and ask him for his fingerprint.
Regards,
Ingo
--Boundary-02=_X7Z8+wQ58l+DSEV
Content-Type: application/pgp-signature
Content-Description: signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQA+8Z7XGnR+RTDgudgRAmBbAKCdlfs5e6bguEyBRLKxuJQGL/Us1QCgm6ME
nO5ppezSEIaL8rGkIipRC1c=
=79Ep
-----END PGP SIGNATURE-----
--Boundary-02=_X7Z8+wQ58l+DSEV--