Why CAs or public keysigning?

CL Gilbert Lamont_Gilbert@RigidSoftware.com
Thu Jun 19 15:54:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ingo Kl=F6cker wrote:
| On Wednesday 18 June 2003 18:53, David Shaw wrote:
|
|>On Wed, Jun 18, 2003 at 12:22:25PM -0400, Dennis Lambe Jr. wrote:
|>
|>>Without the WoT, I could be anyone.  With the WoT, I could be
|>>anyone named Dennis Lambe Jr.  The WoT does not completely
|>>eliminate the problem of misrepresentation, but it makes it
|>>millions of times less likely.
|>
|>It's even better than that: you're not just anyone named Dennis Lam=
be
|>Jr - you're anyone named Dennis Lambe Jr with a particular email
|>address.  Including an email addresses (with few exceptions like
|>shared or role accounts) very effectively elimiates nearly all
|>possible name duplications.
|>
|>It is true that many signers do not take the time to verify an emai=
l
|>address when signing.  This is unfortunate.
|
|
| "many" is an understatement. My experience is that most signers do =
not
| verify email addresses. My primary uid was signed by 58 persons. On=
ly 3
| or 4 of the signers also verified my email addresses. (FWIW, I veri=
fy
| all email addresses.) This wouldn't be a problem if those signers t=
hat
| didn't verify my email addresses wouldn't have given their signatur=
e
| the highest possible rating 3. But some of them did. So it's not
| possible to distinguish really good signatures from not so good
| signatures.
|
| Even worth is that 2 or 3 signatures on my key are from people that
| never checked my ID. But that's another problem.
|
| To prevent overrated signatures I suggest to change
|    (2) I have done casual checking.
|    (3) I have done very careful checking.
| to
|    (2) I have checked the identity of this person.
|    (3) I have checked the identity and the email address of this pe=
rson.
|
| Alternatively (instead of changing the description of the existing
| grades) add
|    (4) I have done very careful checking and I even verified the em=
ail
| addresses.
|

I suppose I am missing something.  I though trust levels were assigne=
d
to keys, not signatures.  I was not aware that I could sign someones
key, and assign some level to that signature.  AFAIK a signature is
absolute.  I can not assign anything to my own signature.

| Of course we can't hinder people from overrating their signatures. =
But
| the above wording would make it more obvious that just checking the
| identity is not enough for a high-rated signature. I'm convinced th=
at
| most people that overrated their signatures did so because they tho=
ught
| that carefully checking the identity of the key owner would be enou=
gh
| for a level 3 signature. IMO it's not enough.
|
| Regards,
| Ingo
|


- --
Thank you,


CL Gilbert
Free Java interface to Freechess.org
http://www.rigidsoftware.com/Chess/chess.html
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiaste=
s 9:16

GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD  19AE 55B2 4CD7 80D2 0A2D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+8cBTVbJM14DSCi0RAq24AKDnsdXFAL/BoNC+vCqIz6n6eq0lGACg0lsT
Q5eVi7pazVubw+Z4sXJn/JI=3D
=3DN0vR
-----END PGP SIGNATURE-----