Signing people with only one form of ID?

Brian Smith brian at briansmith.org
Thu Feb 28 04:43:23 CET 2008 

Robert J. Hansen wrote:
> Because of these three factors--no semantic meaning 
> associated with certification levels, some OpenPGP 
> implementations not supporting the distinctions, and many 
> implementations making it easy to forget that such 
> distinctions exist--my default policy is to treat all 
> signatures as unchecked persona-level IDs unless I know the 
> signer personally and know they have a signature policy.

Even that strict policy is hardly sensible, but it is better than the
policies that are often promoted.

I don't see how a keysigning party works. Anybody that participates by
showing ID is reducing their personal privacy by divulging their
personal information. Furthermore, caring around such ID is much more
likely to create a security problem (if it is lost or stolen) than
anything GPG can prevent. Finally, we give up a lot of personal security
when we give our personal information to governments to get our
government-issued IDs, which I think is a big mistake. Especially, when
I was staying in Thailand, I saw firsthand how governments (Thai,
American, and every other one) use ID controls to repress people they
don't like. Anybody that insists on government-issued ID for
authentication is doing the world a disservice.

For all those reasons, I am willing to sign anybody's keys at any level
without any authentication, using as many different signatures as they
require. And, I will do so with a set of keys that are not linked to my
(online or real-life) identity, so they cannot be blacklisted. Actually,
I would like to create a network of people with the same key-signing
policy. In doing so, I think it will be easy to demonstrate why the
current implementation of the web-of-trust via keysigining is
inadequate, especially when such a network of people participate in
keysigning parties to promote the authority of their own (bogus)
signatures.

In an ideal world, the fact that I am disclosing this information in
advance should mean that mobody will sign my PGP key at any keysigning
party. I don't know how many I will be able to attend, but I will
attempt to get as many as signatures as I can, alternatively using my
birth name and a name of my own choosing (possibly copied from somebody
with a coincidentally similar appearance). It will be interesting to see
how many people will give me a level 5 classification with an identity
that can be traced back directly to this message.

- Brian

More information about the Gnupg-users mailing list