Why CAs or public keysigning?
Thu Jun 19 17:15:02 2003
On Thursday 19 June 2003 15:53, CL Gilbert wrote:
> I suppose I am missing something. I though trust levels were
> assigned to keys, not signatures. I was not aware that I could sign
> someones key, and assign some level to that signature. AFAIK a
> signature is absolute. I can not assign anything to my own
If you sign a key you are asked:
How carefully have you verified the key you are about to sign actually belongs
to the person named above? If you don't know what to answer, enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
And if you enter '?' at the prompt then you get the following help text:
When you sign a user ID on a key, you should first verify that the key
belongs to the person named in the user ID. It is useful for others to
know how carefully you verified this.
"0" means you make no particular claim as to how carefully you verified the
"1" means you believe the key is owned by the person who claims to own it
but you could not, or did not verify the key at all. This is useful for
a "persona" verification, where you sign the key of a pseudonymous user.
"2" means you did casual verification of the key. For example, this could
mean that you verified the key fingerprint and checked the user ID on the
key against a photo ID.
"3" means you did extensive verification of the key. For example, this could
mean that you verified the key fingerprint with the owner of the key in
person, and that you checked, by means of a hard to forge document with a
photo ID (such as a passport) that the name of the key owner matches the
name in the user ID on the key, and finally that you verified (by exchange
of email) that the email address on the key belongs to the key owner.
Note that the examples given above for levels 2 and 3 are *only* examples.
In the end, it is up to you to decide just what "casual" and "extensive"
mean to you when you sign other keys.
If you don't know what the right answer is, answer "0".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
-----END PGP SIGNATURE-----