Why CAs or public keysigning?

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Sat Jun 21 17:37:05 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Wednesday 18 June 2003 13:15, Peter L. Smilde wrote:
> Hi,
> What is the worth of signatures from public keysigning-parties or CAs in
> face of non-unique names? Especially when only names are checked and
> (usually) not (or only superficially) the email-adress.
> unique? Often I cannot even be sure that the email-adress of the person
> is the one of the person I want to communicate with, because (as I don't
> have direct contact with him, as in case 1) I often get adresses from
> the Internet, so it might be the adress of some attacker. Secondly the
> email adress in the UID is usually not very well checked by signers, so
> it might belong to another person than I (and the signer) expect.

I guess an important question is why do you want to communicate with that=20
person X whom you don't know directly?

I mean: You don't get funny ideas about 'now I want to communicate with Joh=
Smith'. You always have somne ideas about who that particular person is. Th=
should usually give you some out of band information to verify the key.

=46or example: When I want to communicate with Werner Koch, I look at the=20
keyserver and see that there are 5 keys for a Werner Koch. 2 of these have =
signatures, so I don't trust them. Of the other two, one has an @gnupg.org=
mail address in the userid, so I'm pretty sure that it's the Werner Koch I=
want. Now I need to authenticate the key, and that's where public keysignin=
come into it. I don't know anything about why Nathalie Weiler has signed=20
Werner's key, but I know Nathalie. So I trust that 5B0358A2 is a key of the=
'true' Werner Kock.

This is what public keysigning parties are about: they make it very likely=
that somebody I know and trust meets somebody I may need to communicate wit=
public keysigning parties can do this much more effectively than private=20
keysignings with friends/collegues can do. The key fact here: In my example=
Nathalie might have only certified the name Werner Koch from his ID (I'm su=
this particular example is bad ;-), but I can identify the key from other=20

Hmm. Not sure if that answers your question.

=2D- vbi

featured link: http://fortytwo.ch/time

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)

Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab