Driving licence as identification and accepting signed keys without exchanging encrypted data

Atom Smasher atom at smasher.org
Tue Jul 25 17:37:46 CEST 2006

On Tue, 25 Jul 2006, Tony Whitmore wrote:

> Thanks Atom, that article was linked to from the thread suggested 
> yesterday. It covers some interesting etiquette points, and certainly 
> doesn't mention using a encrypted block of random data to further verify 
> identity:
> "If required, they may take this opportunity to present each other with 
> formal identification. After enjoying each others' company, they each 
> return home, verify each others' key information to be correct (between 
> the papers they exchanged and the keys they are about to sign), and sign 
> each others' keys. They may then exchange signed keys."
> Yet it's already been suggested in this thread that this represents 
> insufficient verification.
> As I mentioned yesterday, I understand that it's my decision whether to 
> trust any particular piece of identification. I thought it would be 
> worth finding out whether there are any actual arguments for or against 
> accepting such ID which would help inform my decision.

what form of ID cannot be forged, stolen or otherwise compromised? if 
everyone had govt issued tattoos, or RFID implants, would that be 100% 
trustworthy? what about biometrics?

to make things worse, we can't even trust multiple forms of ID (passport + 
DL + credit cards + library card + employee ID, etc) because fake IDs are 
often obtained/established using other fake IDs.

there are even cases where people have spent years being married to 
someone and the spouse wasn't who they claimed to be. other than my 
immediate family, is there anyone whose identity i can *really* be 100% 
certain of? can i even trust my immediate family?

given this, it's really somewhat hopeless to think that you can absolutely 
verify the identity of someone you just met... but even if you can't 
absolutely verify (earning a level 3 signature) someone's identity, you 
can still issue a level one or two signature based on your level of 
confidence that the person is who they claim to be.

if you follow the protocol outlined in the article you can at least 
demonstrate that the person controls the private key and email address. 
since legal names are not designed to be 100% unique (i know of several 
people named "george bush") we can, to a certain extent, blur the line 
between real names and pseudonyms... in sci-fi we can often think of 
identification as an absolute, but in the real world it's blurry.

my own current [informal] policy is that only people i have personally 
known for extended periods of time can get a level 3 signature from me 
(and i recognize that even this is not 100% accurate). if i just meet 
someone at a key signing party and they show me some ID that earns a level 
2 signature. in no way am i implying that this policy is right and 
everything else is wrong... that's just the way i'm currently doing it. 
everyone needs to figure it out for themselves, and do what makes the most 
sense to them.


  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

 	"Reality is that which, when you stop believing in it,
 	 doesn't go away."
 		-- Philip K. Dick

More information about the Gnupg-users mailing list