Signing people with only one form of ID?
Robert J. Hansen
rjh at sixdemonbag.org
Thu Feb 28 03:45:50 CET 2008
Another couple of thoughts--
> I know I am free to do whatever I want, but I am looking for
> feedback and, perhaps, consensus from the community.
If I recall correctly, OpenPGP explicitly has six different
certification levels (in the range 0-5), but it does not specify any
semantic meaning to each level. They make recommendations, but those
recommendations are not really binding.
To muddy the waters further, many OpenPGP implementations either fail to
support certification-level distinctions, or make you jump through hoops
in order to do it. Those hoops are often error-prone.
E.g., GnuPG. GnuPG's default certification level is a 3. If I see a
signature on someone's key, I know absolutely nothing. Maybe it's a
simple persona-level cert, in which case they should have certified it
with a 0 but they just forgot to set the cert level. Maybe it's a "I
have his DNA and fingerprints on file with me and I asked the FBI to
check him out", in which case they should have certified it as a 5 but
they just forgot to set the cert level. Etc., etc.
Because of these three factors--no semantic meaning associated with
certification levels, some OpenPGP implementations not supporting the
distinctions, and many implementations making it easy to forget that
such distinctions exist--my default policy is to treat all signatures as
unchecked persona-level IDs unless I know the signer personally and know
they have a signature policy.
More information about the Gnupg-users