Signing people with only one form of ID?

Richard Hartmann richih.mailinglist at gmail.com
Fri Feb 29 10:49:13 CET 2008


On Thu, Feb 28, 2008 at 4:43 AM, Brian Smith <brian at briansmith.org> wrote:


>  I don't see how a keysigning party works. Anybody that participates by
>  showing ID is reducing their personal privacy by divulging their
>  personal information.

The basic assumption is that a key signing is good and that you actually
gain something from it. If the other guy were to start copying my ID, he
would not get far.


>  Furthermore, caring around such ID is much more
>  likely to create a security problem (if it is lost or stolen) than
>  anything GPG can prevent. Finally, we give up a lot of personal security
>  when we give our personal information to governments to get our
>  government-issued IDs, which I think is a big mistake.

In some countries, you simply have to carry it on you, end of story. You
might as well enjoy the few benefits.


>  Especially, when
>  I was staying in Thailand, I saw firsthand how governments (Thai,
>  American, and every other one) use ID controls to repress people they
>  don't like. Anybody that insists on government-issued ID for
>  authentication is doing the world a disservice.

In the US, they are just using credit cards and the ability to block money
on your account for their own use in stead of ID. This is basically an ID
with electronic traceability (people _know_ you were in X, renting a car.
And they can look it all up in a central location).


>  For all those reasons, I am willing to sign anybody's keys at any level
>  without any authentication, using as many different signatures as they
>  require. And, I will do so with a set of keys that are not linked to my
>  (online or real-life) identity, so they cannot be blacklisted. Actually,
>  I would like to create a network of people with the same key-signing
>  policy.

I would like you to do that as well. Please keep that out of what others
_try_ to make at good as possible.


>  In doing so, I think it will be easy to demonstrate why the
>  current implementation of the web-of-trust via keysigining is
>  inadequate, especially when such a network of people participate in
>  keysigning parties to promote the authority of their own (bogus)
>  signatures.

While living in a perfect world is, of course, perfect (for exactly one
person) I would rather try and change what I can and until such a
point, do the things that I can do to make the best of actual reality.

I just hope those people stay as far away from my personal nodes
as possible.


>  In an ideal world, the fact that I am disclosing this information in
>  advance should mean that mobody will sign my PGP key at any keysigning
>  party.

WIth a name of Brian Smith, this is easily feasible..


>  I don't know how many I will be able to attend, but I will
>  attempt to get as many as signatures as I can, alternatively using my
>  birth name and a name of my own choosing (possibly copied from somebody
>  with a coincidentally similar appearance).

This will give you only identities of people who look like you, which is
also possible in the real world. The only thing you are proving is the
need for better ID for the sake of 'added security'. Gee, thanks ;)


>  It will be interesting to see
>  how many people will give me a level 5 classification with an identity
>  that can be traced back directly to this message.

I doubt you include the unique message ID of this mail in your key. Else,
this is just a snug comment with no actual warning value to anyone.


Richard



More information about the Gnupg-users mailing list