Why CAs or public keysigning?
David Shaw
dshaw@jabberwocky.com
Fri Jun 20 21:00:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Jun 20, 2003 at 02:28:37PM -0400, CL Gilbert wrote:
> |>It seems to me the only meaningful option is 3. Any other option is
> |>rather silly. Why even sign the key if your choice is not 3?
> |
> | That is, of course, your choice. The idea of sig levels is to allow a
> | signer to express the difference between (for example), checking a
> | passport, and checking a passport plus verifying the email address.
> | They are both "checking", but one is certainly more casual than the
> | other.
> |
> | If you always check in the same single way, and will not sign unless
> | that exact requirement is met, then signature levels don't help you
> | much.
> |
> | When I sign, for example, I check a photo ID and send an email address
> | challenge. If that is met, I give a level 2. If I know the person
> | personally, I'll give a level 3. It's completely subjective, and my
> | level 2 is likely to be different than someone elses level 2.
> I can think of no good reason to sign someones key that I do not know
> personally or professionally. The number does not seem relevant.
As I said, then, in your case signature levels don't help you much.
> Anything less than absolute security is absolute insecurity.
Not at all true.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iD8DBQE+81n54mZch0nhy8kRAlhhAKCMVqAXB9s7c2XR0hLbyJQqqpnITwCeODkW
sEKbkdbYY00P/qXTh/Tg1YY=
=VzA1
-----END PGP SIGNATURE-----