Signing people with only one form of ID?

David Shaw dshaw at jabberwocky.com
Thu Feb 28 04:09:03 CET 2008


On Wed, Feb 27, 2008 at 08:45:50PM -0600, Robert J. Hansen wrote:
> Another couple of thoughts--
>
>> I know I am free to do whatever I want, but I am looking for
>> feedback and, perhaps, consensus from the community.
>
> If I recall correctly, OpenPGP explicitly has six different certification 
> levels (in the range 0-5), but it does not specify any semantic meaning to 
> each level.  They make recommendations, but those recommendations are not 
> really binding.

4 levels: 0-3, inclusive.  They are not binding (can't be, given the
design), but meaning is specified.  The meaning, however, is relative
to the signer.  That is, my #2 is not necessarily the same as someone
elses #2.

> To muddy the waters further, many OpenPGP implementations either fail to 
> support certification-level distinctions, or make you jump through hoops in 
> order to do it.  Those hoops are often error-prone.

I know of no OpenPGP implementation that truly supports certification
level distinctions.  All of them, including GPG, treat a signature as
a signature, regardless of the level.  GPG does have a way to say
"don't accept anything less than level (X)" (which defaults to 2), but
once a signature has been accepted, it's the same as any other
signature.

> E.g., GnuPG.  GnuPG's default certification level is a 3.

The default is 0. 0 makes no claim at all, which is the safest
default.

The levels (for general knowledge) are:

  0 = I'm not telling you    ("generic")
  1 = I didn't check at all  ("persona")
  2 = I checked a little bit ("casual")
  3 = I checked a lot        ("positive")

There is a lot more verbiage on the 4 types in RFC-4880, but it
basically boils down to what I said above.

> If I see a signature on someone's key, I know absolutely nothing.
> Maybe it's a simple persona-level cert, in which case they should
> have certified it with a 0 but they just forgot to set the cert
> level.  Maybe it's a "I have his DNA and fingerprints on file with
> me and I asked the FBI to check him out", in which case they should
> have certified it as a 5 but they just forgot to set the cert level.
> Etc., etc.

Some people include a policy URL in the certification to tell a
recipient just what was done.  This has its own advantages and
disadvantages, but is really a comment as well, as no program parses
and acts on the information.

The bottom line is that you can sign with a signature level if you
like, but (barring persona signatures) it only makes a marginal
difference in practice.

David



More information about the Gnupg-users mailing list