Signing people with only one form of ID?

Richard Hartmann richih.mailinglist at gmail.com
Sat Mar 1 12:46:40 CET 2008


On Fri, Feb 29, 2008 at 6:40 PM, Brian Smith <brian at briansmith.org> wrote:


>  > The basic assumption is that a key signing is good and that
>  > you actually gain something from it.
>
>  That is the assumption that I am challenging.

You are not challengging the assumption, you are attacking the
implementation :)


> > In the US, they are just using credit cards and the ability
>  > to block money on your account for their own use in stead of
>  > ID. This is basically an ID with electronic traceability
>  > (people _know_ you were in X, renting a car.
>  > And they can look it all up in a central location).
>
>  These are things I want to help change.

For some things, you simply need to establish identity. As
soon as you leave the 'I have known you since birth and you
are tightly knit into my social circle' regions, doing some
things, especially ones involving large amounts of money,
is simply not feasible.

You can challenge that assumption by giving me your car,
house & bank accounts. Unless you never go far from your
birthplace, or progress very slowly in one direction, you
simply need to be able to establish ID. Or you can do the
US thing of just taking a pile of [electronic] cash into
custody.


>  There's got to be some mechanism that doesn't require (as much) hope,
>  and which doesn't require the loss of anonymity, at least for common
>  uses of PGP like personal email.

There are three forms of ID:

a) 'This is the same person I have had contact with before.'
   This can be done via an unsigned key or facial recognition.

b) 'This person is known to someone I [have to] trust.'
   Web of trust, government-issued ID, alias-based eID

c) 'I know this person to be X.'
   You have known them for a very long time, preferably since
   their birth.

As GPG WoT aims to stay in the realm of b), it is, quite literally,
impossible to establish anything of use with a). Note that there
are schemes that involve GPG and a), but they can not reliably
establish identity, only authenticy.


>  Would better IDs really help? It has got to be hard for a person to say
>  "I don't trust you or your ID, I'm not going to sign your key."

If your full DNA print is being taken at birth, you are implanted with a
chip immediately & you are under close, automated surveillance for
all your life, this would be the complete solution and 'help', yes.

If I had any reasonable doubt as to the validity of someone's ID
or if they match the identity on the ID, I would say so, yes. If you
are concerned about the social implications, tell them you will
sign it and then don't. Chances are that in such a scenario, you
will not meet the other person again, anyway.


Richard

>
>
>
>  - Brian
>
>
>  _______________________________________________
>  Gnupg-users mailing list
>  Gnupg-users at gnupg.org
>  http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



More information about the Gnupg-users mailing list