re. Moving from PGP to GnuPG and other questions ...

Thu Apr 29 23:28:40 CEST 2004

On Thursday 29 April 2004 6:11, Jeff Fisher wrote:
> On Thu, Apr 29, 2004 at 09:30:04AM -0400, Dennis Lambe Jr. wrote:
> However, a google search for "Lewis Powell" returns about 8,000 hits,

Keysigning is never advisable with partial data. Signing a key is a public 
declaration - you are publicly stating that you have no reason to doubt that 
the physical person who owns the secret key is precisely the same person 
identified in the key data. "Key data" in this sense should be defined as 
GnuPG itself deals with key data: The name, comment and email address are 
lumped together as one User ID which can have secondary UID's added as 
aliases for that one person.

In turn, I may want to rely on your verification of that person, in 
combination with other signatures, to be able to trust an otherwise unknown 
key. In practice, it's never good to trust a single link in the chain and I 
set most keys to marginal trust unless I know the person personally.

As mentioned elsewhere, 
signing = proof of your verification of that person and that key.
trust = your assessment of how carefully that person will verify other keys.

You need to be sure of all three components of a UID, although comments might 
not seem important, they can be used to express important details for some 
users.

I always check:
1. The fingerprint - this is the basis of key identification - it's how you 
tell two similar keys apart if they have the same names and even the 
same/similar emails.
2. Photo ID - reputable and recognised source, not necessarily official or 
government but not easily forgeable or temporary. Must include the same name 
details as the key.
3. email verification, preferably off-list and using encryption.
4. comments: if the user specifically mentions a project or locality, perhaps 
a distinguishing facet - this should be checked during the face-to-face 
meeting to verify photo ID and key fingerprint.

> So, (finally), the question is, in practice what's the use of verifying
> only the name of the person before signing their key?

No use whatsoever. The keysigning must verify all parts of the UID. If you 
cannot verify any part of a UID, do NOT sign that part of that key - use the 
uid command (uid 1 or uid 2 etc.) to select those UID's that you have been 
able to verify.

Take my key. If you are unable to verify me as webmaster of DCLUG for whatever 
reason, you should not sign that UID.

> Personally, I've only signed the keys of people I know personally. However,
> after a bit of thought, this gives me pause to sign anybody else's key with
> or without a passport, or reason to sign keys based on only e-mail
> correspondence.

I don't sign keys without seeing photo ID, exchange of fingerprint and some 
verification of the email.

-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040429/5737aad2/attachment.bin