Driving licence as identification and accepting signed keys without exchanging encrypted data

David Shaw dshaw at jabberwocky.com
Mon Jul 24 23:23:23 CEST 2006


On Mon, Jul 24, 2006 at 09:50:22PM +0100, Tony Whitmore wrote:
> I'm still working on getting my card reader to work, but in the
> meantime, I have a couple of questions regarding key-signing ettiquette
> following a session at LUG Radio Live last weekend. I hope the questions
> are not OT, I've checked the HOWTOs & FAQs, but there's some ambiguity
> in them.
> 
> First: Is a photo driving licence considered adequate identification?
> I'm in the UK so we have UK / EU photo driving licences. I have
> previously only used passports as ID, but some people were presenting
> driving licences instead.

It depends on what *you* think.  Some people do accept driver licences
as adequate identification.  Some don't.  I do, for what it's worth.

> Second: I've already had back some e-mails, encrypted with my public
> key, with signatures attached ready for me to upload to a keyserver. I
> usually use the procedure described at [1], which requires the
> additional verification of the encryption, exchange and decryption of a
> random amount of text before signatures are sent. Obviously I have to be
> able to decrypt the e-mail successfully to access the signature they
> have sent me, but is this considered a safe and appropriate way to sign
> keys?

No, it's not.  Some people do it, though.

Note that there is a difference between what page at
http://www.hantslug.org.uk/cgi-bin/wiki.pl?LinuxHints/KeySigning says
and what you say above.  The page (correctly) notes that all that is
necessary is that the person *sign* the challenge before sending it
back to you.  The page makes clear ("encrypted, if you like") that
encryption is optional here, and adds little to what you are trying to
prove.  It doesn't matter if other people can read the signed
challenge or not.  Of course, it doesn't hurt to encrypt, so long as
it is understood that it doesn't really help either.

Take a look at the thread starting at
http://lists.gnupg.org/pipermail/gnupg-users/2006-July/028949.html

It has a pretty good discussions of various issues around keysigning.

David



More information about the Gnupg-users mailing list