Why CAs or public keysigning?

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Sat Jun 21 17:37:05 2003 

--Boundary-02=_cwH9+b2YOHE874i
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Wednesday 18 June 2003 13:15, Peter L. Smilde wrote:
> Hi,
>
> What is the worth of signatures from public keysigning-parties or CAs in
> face of non-unique names? Especially when only names are checked and
> (usually) not (or only superficially) the email-adress.
[...]
> unique? Often I cannot even be sure that the email-adress of the person
> is the one of the person I want to communicate with, because (as I don't
> have direct contact with him, as in case 1) I often get adresses from
> the Internet, so it might be the adress of some attacker. Secondly the
> email adress in the UID is usually not very well checked by signers, so
> it might belong to another person than I (and the signer) expect.
[...]

I guess an important question is why do you want to communicate with that=20
person X whom you don't know directly?

I mean: You don't get funny ideas about 'now I want to communicate with Joh=
n=20
Smith'. You always have somne ideas about who that particular person is. Th=
is=20
should usually give you some out of band information to verify the key.

=46or example: When I want to communicate with Werner Koch, I look at the=20
keyserver and see that there are 5 keys for a Werner Koch. 2 of these have =
no=20
signatures, so I don't trust them. Of the other two, one has an @gnupg.org=
=20
mail address in the userid, so I'm pretty sure that it's the Werner Koch I=
=20
want. Now I need to authenticate the key, and that's where public keysignin=
gs=20
come into it. I don't know anything about why Nathalie Weiler has signed=20
Werner's key, but I know Nathalie. So I trust that 5B0358A2 is a key of the=
=20
'true' Werner Kock.

This is what public keysigning parties are about: they make it very likely=
=20
that somebody I know and trust meets somebody I may need to communicate wit=
h.=20
public keysigning parties can do this much more effectively than private=20
keysignings with friends/collegues can do. The key fact here: In my example=
,=20
Nathalie might have only certified the name Werner Koch from his ID (I'm su=
re=20
this particular example is bad ;-), but I can identify the key from other=20
information.

Hmm. Not sure if that answers your question.

=2D- vbi



=2D-=20
featured link: http://fortytwo.ch/time

--Boundary-02=_cwH9+b2YOHE874i
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iKcEABECAGcFAj70fBxgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi
YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWgoQAn3TGYKnylDPBcPXyilDVAwn2
u3vKAJwMRTMh9Rzz4BmComa/EWTq1ldU4w==
=ynqY
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab

--Boundary-02=_cwH9+b2YOHE874i--