Why CAs or public keysigning?
Thu Jun 19 15:54:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Ingo Kl=F6cker wrote:
| On Wednesday 18 June 2003 18:53, David Shaw wrote:
|>On Wed, Jun 18, 2003 at 12:22:25PM -0400, Dennis Lambe Jr. wrote:
|>>Without the WoT, I could be anyone. With the WoT, I could be
|>>anyone named Dennis Lambe Jr. The WoT does not completely
|>>eliminate the problem of misrepresentation, but it makes it
|>>millions of times less likely.
|>It's even better than that: you're not just anyone named Dennis Lam=
|>Jr - you're anyone named Dennis Lambe Jr with a particular email
|>address. Including an email addresses (with few exceptions like
|>shared or role accounts) very effectively elimiates nearly all
|>possible name duplications.
|>It is true that many signers do not take the time to verify an emai=
|>address when signing. This is unfortunate.
| "many" is an understatement. My experience is that most signers do =
| verify email addresses. My primary uid was signed by 58 persons. On=
| or 4 of the signers also verified my email addresses. (FWIW, I veri=
| all email addresses.) This wouldn't be a problem if those signers t=
| didn't verify my email addresses wouldn't have given their signatur=
| the highest possible rating 3. But some of them did. So it's not
| possible to distinguish really good signatures from not so good
| Even worth is that 2 or 3 signatures on my key are from people that
| never checked my ID. But that's another problem.
| To prevent overrated signatures I suggest to change
| (2) I have done casual checking.
| (3) I have done very careful checking.
| (2) I have checked the identity of this person.
| (3) I have checked the identity and the email address of this pe=
| Alternatively (instead of changing the description of the existing
| grades) add
| (4) I have done very careful checking and I even verified the em=
I suppose I am missing something. I though trust levels were assigne=
to keys, not signatures. I was not aware that I could sign someones
key, and assign some level to that signature. AFAIK a signature is
absolute. I can not assign anything to my own signature.
| Of course we can't hinder people from overrating their signatures. =
| the above wording would make it more obvious that just checking the
| identity is not enough for a high-rated signature. I'm convinced th=
| most people that overrated their signatures did so because they tho=
| that carefully checking the identity of the key owner would be enou=
| for a level 3 signature. IMO it's not enough.
Free Java interface to Freechess.org
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiaste=
GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD 19AE 55B2 4CD7 80D2 0A2D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----