Driving licence as identification and accepting signed keys without exchanging encrypted data

Tony Whitmore tony at tonywhitmore.co.uk
Mon Jul 24 22:50:22 CEST 2006 

I'm still working on getting my card reader to work, but in the
meantime, I have a couple of questions regarding key-signing ettiquette
following a session at LUG Radio Live last weekend. I hope the questions
are not OT, I've checked the HOWTOs & FAQs, but there's some ambiguity
in them.

First: Is a photo driving licence considered adequate identification?
I'm in the UK so we have UK / EU photo driving licences. I have
previously only used passports as ID, but some people were presenting
driving licences instead.

Second: I've already had back some e-mails, encrypted with my public
key, with signatures attached ready for me to upload to a keyserver. I
usually use the procedure described at [1], which requires the
additional verification of the encryption, exchange and decryption of a
random amount of text before signatures are sent. Obviously I have to be
able to decrypt the e-mail successfully to access the signature they
have sent me, but is this considered a safe and appropriate way to sign
keys?

The e-mails I received were identical apart from the sender's name, so I
suspect they are using a script. I wasn't able to find anything
definitive on Google so can't be sure which script they are using, but
the text ran like:
---quote---
Hi,

please find attached the user id
	Antony Paul Whitmore <tony at tonywhitmore.co.uk>
of your key 7920DB2171B98B64 signed by me.

If you have multiple user ids, I sent the signature for each user id
separately to that user id's associated email address. You can import
the signatures by running each through `gpg --import`.

Note that I did not upload your key to any keyservers. If you want this
new signature to be available to others, please upload it yourself.
With GnuPG this can be done using
	gpg --keyserver subkeys.pgp.net --send-key 7920DB2171B98B64

If you have any questions, don't hesitate to ask.
---end quote---

I'd value the opinions of the list, as I want to ensure correct
procedure is followed to ensure the integrity of the web of trust.

Tony


[1] http://www.hantslug.org.uk/cgi-bin/wiki.pl?LinuxHints/KeySigning

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20060724/6eb9d731/signature.pgp

More information about the Gnupg-users mailing list