Why CAs or public keysigning?

David Shaw dshaw@jabberwocky.com
Fri Jun 20 18:28:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jun 20, 2003 at 10:19:24AM -0400, CL Gilbert wrote:

> 0 - I refuse to answer???
> 1 - I have not checked??
> 2 - I have done casual checking
> 3 - I have checked
> 
> It seems to me the only meaningful option is 3.  Any other option is
> rather silly.  Why even sign the key if your choice is not 3?

That is, of course, your choice.  The idea of sig levels is to allow a
signer to express the difference between (for example), checking a
passport, and checking a passport plus verifying the email address.
They are both "checking", but one is certainly more casual than the
other.

If you always check in the same single way, and will not sign unless
that exact requirement is met, then signature levels don't help you
much.

When I sign, for example, I check a photo ID and send an email address
challenge.  If that is met, I give a level 2.  If I know the person
personally, I'll give a level 3.  It's completely subjective, and my
level 2 is likely to be different than someone elses level 2.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE+8zZS4mZch0nhy8kRAnr9AJwPUtlStmzdle7w8A73R2kc7nCI/gCfXb9i
lQ3ZJugEUzwZokVp9juMaFE=
=owLR
-----END PGP SIGNATURE-----