Why CAs or public keysigning?

Ingo Klöcker ingo.kloecker@epost.de
Thu Jun 19 17:15:02 2003


--Boundary-02=_9Tc8+NicyIVUtj3
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Thursday 19 June 2003 15:53, CL Gilbert wrote:
> I suppose I am missing something.  I though trust levels were
> assigned to keys, not signatures.  I was not aware that I could sign
> someones key, and assign some level to that signature.  AFAIK a
> signature is absolute.  I can not assign anything to my own
> signature.

If you sign a key you are asked:
=====
How carefully have you verified the key you are about to sign actually belongs
to the person named above?  If you don't know what to answer, enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.

Your selection?
=====

And if you enter '?' at the prompt then you get the following help text:
=====
When you sign a user ID on a key, you should first verify that the key
belongs to the person named in the user ID.  It is useful for others to
know how carefully you verified this.

"0" means you make no particular claim as to how carefully you verified the
    key.

"1" means you believe the key is owned by the person who claims to own it
    but you could not, or did not verify the key at all.  This is useful for
    a "persona" verification, where you sign the key of a pseudonymous user.

"2" means you did casual verification of the key.  For example, this could
    mean that you verified the key fingerprint and checked the user ID on the
    key against a photo ID.

"3" means you did extensive verification of the key.  For example, this could
    mean that you verified the key fingerprint with the owner of the key in
    person, and that you checked, by means of a hard to forge document with a
    photo ID (such as a passport) that the name of the key owner matches the
    name in the user ID on the key, and finally that you verified (by exchange
    of email) that the email address on the key belongs to the key owner.

Note that the examples given above for levels 2 and 3 are *only* examples.
In the end, it is up to you to decide just what "casual" and "extensive"
mean to you when you sign other keys.

If you don't know what the right answer is, answer "0".
=====

Regards,
Ingo


--Boundary-02=_9Tc8+NicyIVUtj3
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA+8cT9GnR+RTDgudgRAu+aAJ9hguiukdz+zZTSZwjwhpbFUmGYaQCfa6gp
yMhDwOkqV2kVyl32tb4UZTI=
=z2PP
-----END PGP SIGNATURE-----

--Boundary-02=_9Tc8+NicyIVUtj3--