Why CAs or public keysigning?

Ingo Klöcker ingo.kloecker@epost.de
Thu Jun 19 13:41:03 2003 

--Boundary-02=_X7Z8+wQ58l+DSEV
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Thursday 19 June 2003 12:48, Peter L. Smilde wrote:
> 1: Again: I am not questioning trust in signatures! There ARE enough
> people and CAs I trust (although even some very well known
> GnuPG-persons and CAs explicitly state in their policy that they
> don't check email-adresses carefully). My problem is that even when
> they have done their work perfectly, I cannot check if the person
> they checked is the same person I want to communicate with.

If you know this person's email address and you have a key with this=20
email address which is signed by someone or a CA you trust then you've=20
won. But you knew this already.

You want to know how to find the correct key (or equivalently the=20
correct email address) of, let's say, a class mate that you last saw=20
twenty years ago. Which information do you have about this classmate?=20
Do you know where he works? Do you know his date of birth? Do you know=20
where he was born? All of this information can help you to find the=20
correct key provided that this information is contained in a user id.=20
But most people don't add their date and place of birth to a user id.=20
And therefore it's pretty much impossible to find out if the key you=20
found really belongs to the person you want to communicate with. The=20
WoT can't help you to find the right email address (and thus the right=20
key). You will have to find another way to check this. Some=20
possibilities:
1. Call all people who have the name you are looking for.
2. Write messages to all people who have the name you are looking for.
3. Hire a private investigator.

> 2: Many awnsers say: "When you really want need security, then you
> usually know your communication partner personally or you ask him for
> his fingerprint." That's right. But then I don't need the signature
> of the CA or the "public keysigner" anymore (this is case 1 of my
> original posting).

In this case you are right. But with the WoT you don't necessarily need=20
to have exchanged fingerprints with this person. It's enough to know=20
the person's email address and to know another trusted person who=20
checked the person's identity and (!) his email address. But as David=20
and I already wrote most signers don't check email addresses. So unless=20
you know that the trusted signer really checked the email address you=20
will have to phone the person and ask him for his fingerprint.

Regards,
Ingo


--Boundary-02=_X7Z8+wQ58l+DSEV
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA+8Z7XGnR+RTDgudgRAmBbAKCdlfs5e6bguEyBRLKxuJQGL/Us1QCgm6ME
nO5ppezSEIaL8rGkIipRC1c=
=79Ep
-----END PGP SIGNATURE-----

--Boundary-02=_X7Z8+wQ58l+DSEV--