Why CAs or public keysigning?

David Shaw dshaw@jabberwocky.com
Thu Jun 19 15:14:03 2003

Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jun 19, 2003 at 01:49:42AM +0200, Ingo Kl=F6cker wrote:
> On Wednesday 18 June 2003 18:53, David Shaw wrote:

> > It is true that many signers do not take the time to verify an email
> > address when signing.  This is unfortunate.
> "many" is an understatement. My experience is that most signers do not=20
> verify email addresses. My primary uid was signed by 58 persons. Only 3=
> or 4 of the signers also verified my email addresses. (FWIW, I verify=20
> all email addresses.) This wouldn't be a problem if those signers that=20
> didn't verify my email addresses wouldn't have given their signature=20
> the highest possible rating 3. But some of them did. So it's not=20
> possible to distinguish really good signatures from not so good=20
> signatures.
> Even worth is that 2 or 3 signatures on my key are from people that=20
> never checked my ID. But that's another problem.
> To prevent overrated signatures I suggest to change
>    (2) I have done casual checking.
>    (3) I have done very careful checking.
> to
>    (2) I have checked the identity of this person.
>    (3) I have checked the identity and the email address of this person.
> Alternatively (instead of changing the description of the existing=20
> grades) add
>    (4) I have done very careful checking and I even verified the email=20
> addresses.

Unfortunately, there is no way to add a (4) there since OpenPGP only
defines 3 levels (plus the "I am not going to say" level).

> Of course we can't hinder people from overrating their signatures. But=20
> the above wording would make it more obvious that just checking the=20
> identity is not enough for a high-rated signature. I'm convinced that=20
> most people that overrated their signatures did so because they thought=
> that carefully checking the identity of the key owner would be enough=20
> for a level 3 signature. IMO it's not enough.

Signature levels are user-specific (i.e. my "2" might be someone elses
"3", or even "1").  I agree with you that many (or even most?) people
just hit "3" and continue, but that is actually fine: for them, that
is what a level 3 signature is.

FWIW, the help text for the signature level prompt does say something
similar to what you suggest, but it is only an example since users
must be able to decide for themselves what the levels mean.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc