Do not conflate key+userID certification with "vouching" [was: Re: How to verify the e-mail address when certifying OpenPGP User IDs]

Grant Olson kgo at grant-olson.net
Fri Apr 8 20:38:41 CEST 2011 

On 4/8/11 2:00 PM, Daniel Kahn Gillmor wrote:
> On 04/07/2011 09:37 PM, Grant Olson wrote:
>> Keep in mind that the web-of-trust isn't the mafia.  If you 'vouch' for
>> someone and they turn out to be a rat, nobody's going to two bullets in
>> your chest, and one in your head.
> 
> "Vouching" for someone usually means that you think you can rely on the
> person, and that you think they're somehow "good", "on our side",
> "trustworthy", etc.
> 
> Making an OpenPGP certification ("keysigning") is *not* the same as
> "vouching" for them.  An OpenPGP certification is a simple assertion of
> two things: {identity (which may include an address), and ownership of a
> key}.
> 
> An OpenPGP certification says nothing about whether you think the
> keyholder is a good person, whether you would trust them with your
> children, whether they are a good software engineer, whether you would
> vote them into public office if you happen to live in a democracy, or
> even whether you are willing to rely on the OpenPGP certifications they
> produce. [0]
> 

We're on the same page here, although I probably made my point sloppily.
 Two definitions of vouch:

1. Assert or confirm as a result of one's own experience that something
is true or accurately so described.
2. Confirm that someone is who they say they are or that they are of
good character: "someone could vouch for him".

A sig is the first definition.  Organized crime is the second.

Jan seems to be worried that if he signs a key, and Eve is somehow
illegally using an email or whatever, that his signature would add some
sort of credibility or trust measurement to Eve when she initiates her
Nigerian 411 scam.  I was (sloppily) saying that the signature implies
no such thing.

> You are free to assert these other qualities in many other ways, of
> course.  For example, I could write, sign, and publish a document that
> says "Alice <alice at example.net> has strong moral fiber".  This sort of
> "vouching" would be distinct from my certification of Alice's OpenPGP
> key.  Note that I am *not* saying that Alice's key has strong moral
> fiber.  My statement is vouching for *Alice*, not her key.
> 

Like I said, if you want to do this, using certification levels and a
signing policy might be a less ad-hoc way of accomplishing this.  (Not
that any clients currently do anything with that info.)  And yes,
there's still a distinction between the acutal person and their key.

Like you say below, attaching various certification levels may actually
be undesirable and leak more personal info than some people want out there.

> Keeping the semantics of keysigning restricted to a simple assertion of
> identity and key ownership makes it possible to do reasoned inference
> over a set of certifications, to establish (via intermediate parties,
> such as "mutual acquaintances") a level of reliable identity and
> key-ownership between people (and other entities!) who have never
> physically met.  It also makes OpenPGP certification less fraught with
> doubt or confusion, and it reduces the amount deep social relationships
> published on the public keyservers.  This is good.
> 



--
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 570 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110408/daa0f813/attachment.pgp>

More information about the Gnupg-users mailing list