Signing people with only one form of ID?
dshaw at jabberwocky.com
Thu Feb 28 04:09:03 CET 2008
On Wed, Feb 27, 2008 at 08:45:50PM -0600, Robert J. Hansen wrote:
> Another couple of thoughts--
>> I know I am free to do whatever I want, but I am looking for
>> feedback and, perhaps, consensus from the community.
> If I recall correctly, OpenPGP explicitly has six different certification
> levels (in the range 0-5), but it does not specify any semantic meaning to
> each level. They make recommendations, but those recommendations are not
> really binding.
4 levels: 0-3, inclusive. They are not binding (can't be, given the
design), but meaning is specified. The meaning, however, is relative
to the signer. That is, my #2 is not necessarily the same as someone
> To muddy the waters further, many OpenPGP implementations either fail to
> support certification-level distinctions, or make you jump through hoops in
> order to do it. Those hoops are often error-prone.
I know of no OpenPGP implementation that truly supports certification
level distinctions. All of them, including GPG, treat a signature as
a signature, regardless of the level. GPG does have a way to say
"don't accept anything less than level (X)" (which defaults to 2), but
once a signature has been accepted, it's the same as any other
> E.g., GnuPG. GnuPG's default certification level is a 3.
The default is 0. 0 makes no claim at all, which is the safest
The levels (for general knowledge) are:
0 = I'm not telling you ("generic")
1 = I didn't check at all ("persona")
2 = I checked a little bit ("casual")
3 = I checked a lot ("positive")
There is a lot more verbiage on the 4 types in RFC-4880, but it
basically boils down to what I said above.
> If I see a signature on someone's key, I know absolutely nothing.
> Maybe it's a simple persona-level cert, in which case they should
> have certified it with a 0 but they just forgot to set the cert
> level. Maybe it's a "I have his DNA and fingerprints on file with
> me and I asked the FBI to check him out", in which case they should
> have certified it as a 5 but they just forgot to set the cert level.
> Etc., etc.
Some people include a policy URL in the certification to tell a
recipient just what was done. This has its own advantages and
disadvantages, but is really a comment as well, as no program parses
and acts on the information.
The bottom line is that you can sign with a signature level if you
like, but (barring persona signatures) it only makes a marginal
difference in practice.
More information about the Gnupg-users