Driving licence as identification and accepting signed keys without exchanging encrypted data

Robert J. Hansen rjh at sixdemonbag.org
Tue Jul 25 12:35:23 CEST 2006

Tony Whitmore wrote:
> Yet it's already been suggested in this thread that this represents 
> insufficient verification.

Simple answers like "sufficient" or "insufficient" are tempting, but
they utterly lack context.  When it comes to these questions, you need
to carefully assess your needs and then establish a security policy that
meets those needs.

So: start from the beginning.  What's your threat model?  What do you
need an OpenPGP key signature to represent?  How paranoid do you need to be?

Once you know that, then start looking for other people with similar
policies and ask them for arguments for or against to help you decide.
But asking strangers with completely unknown policies is unlikely to do
much but confuse you.

More information about the Gnupg-users mailing list