re. Moving from PGP to GnuPG and other questions ...
Neil Williams
linux at codehelp.co.uk
Thu Apr 29 23:28:40 CEST 2004
On Thursday 29 April 2004 6:11, Jeff Fisher wrote:
> On Thu, Apr 29, 2004 at 09:30:04AM -0400, Dennis Lambe Jr. wrote:
> However, a google search for "Lewis Powell" returns about 8,000 hits,
Keysigning is never advisable with partial data. Signing a key is a public
declaration - you are publicly stating that you have no reason to doubt that
the physical person who owns the secret key is precisely the same person
identified in the key data. "Key data" in this sense should be defined as
GnuPG itself deals with key data: The name, comment and email address are
lumped together as one User ID which can have secondary UID's added as
aliases for that one person.
In turn, I may want to rely on your verification of that person, in
combination with other signatures, to be able to trust an otherwise unknown
key. In practice, it's never good to trust a single link in the chain and I
set most keys to marginal trust unless I know the person personally.
As mentioned elsewhere,
signing = proof of your verification of that person and that key.
trust = your assessment of how carefully that person will verify other keys.
You need to be sure of all three components of a UID, although comments might
not seem important, they can be used to express important details for some
users.
I always check:
1. The fingerprint - this is the basis of key identification - it's how you
tell two similar keys apart if they have the same names and even the
same/similar emails.
2. Photo ID - reputable and recognised source, not necessarily official or
government but not easily forgeable or temporary. Must include the same name
details as the key.
3. email verification, preferably off-list and using encryption.
4. comments: if the user specifically mentions a project or locality, perhaps
a distinguishing facet - this should be checked during the face-to-face
meeting to verify photo ID and key fingerprint.
> So, (finally), the question is, in practice what's the use of verifying
> only the name of the person before signing their key?
No use whatsoever. The keysigning must verify all parts of the UID. If you
cannot verify any part of a UID, do NOT sign that part of that key - use the
uid command (uid 1 or uid 2 etc.) to select those UID's that you have been
able to verify.
Take my key. If you are unable to verify me as webmaster of DCLUG for whatever
reason, you should not sign that UID.
> Personally, I've only signed the keys of people I know personally. However,
> after a bit of thought, this gives me pause to sign anybody else's key with
> or without a passport, or reason to sign keys based on only e-mail
> correspondence.
I don't sign keys without seeing photo ID, exchange of fingerprint and some
verification of the email.
--
Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040429/5737aad2/attachment.bin
More information about the Gnupg-users
mailing list