Do not conflate key+userID certification with "vouching"

Fri Apr 8 21:35:56 CEST 2011

On 04/08/2011 02:38 PM, Grant Olson wrote:
>  Two definitions of vouch:
> 
> 1. Assert or confirm as a result of one's own experience that something
> is true or accurately so described.
> 2. Confirm that someone is who they say they are or that they are of
> good character: "someone could vouch for him".
> 
> A sig is the first definition.  Organized crime is the second.

Or, more simply, An OpenPGP certification is "vouching for someone's
identity"; it is not "vouching for someone".

But given the easy confusion and the level of nuance required to tease
the concepts apart, i think we're better off avoiding the term "vouch"
entirely, and talking about "assertions of identity and key ownership"
instead.  Why use a term likely to sow more confusion in an already
confused topic?

> Like I said, if you want to do this, using certification levels and a
> signing policy might be a less ad-hoc way of accomplishing this.

Actually, i think using a signing policy and certification levels to
refer to non-identity,non-key-ownership characteristics is *also* a mistake.

Here are the descriptions of the conventionally-defined "certification
levels" (from https://tools.ietf.org/html/rfc4880#page-20) :

>>    0x10: Generic certification of a User ID and Public-Key packet.
>>        The issuer of this certification does not make any particular
>>        assertion as to how well the certifier has checked that the owner
>>        of the key is in fact the person described by the User ID.
>> 
>>    0x11: Persona certification of a User ID and Public-Key packet.
>>        The issuer of this certification has not done any verification of
>>        the claim that the owner of this key is the User ID specified.
>> 
>>    0x12: Casual certification of a User ID and Public-Key packet.
>>        The issuer of this certification has done some casual
>>        verification of the claim of identity.
>> 
>>    0x13: Positive certification of a User ID and Public-Key packet.
>>        The issuer of this certification has done substantial
>>        verification of the claim of identity.
>> 
>>        Most OpenPGP implementations make their "key signatures" as 0x10
>>        certifications.  Some implementations can issue 0x11-0x13
>>        certifications, but few differentiate between the types.
> 

Note that none of these levels make any reference to anything other than
identity and key ownership.  They refer to levels of certainty (of the
issuer) of identity and key ownership (of the subject).  But not to any
other statements like "has strong moral fiber" or "has been my best
friend since birth" or "is trustworthy around dogs" or "loves sauerkraut
as much as i do".  [0]

Again, if you want to assert these things publicly, you're free to do
so.  But regular public OpenPGP certifications are probably the wrong
place to do it.

OpenPGP certifications should be about identity and key-ownership.

Regards,

	--dkg

[0] Note that i *could* give a "positive" certification to my best
friend since birth, since i certainly have done substantial verification
of his identity, but that doesn't work bi-directionally: every
"positive" certification doesn't have to mean "best friend since birth".
 Moreover, making that kind of assertion would leak some additional
information about my perception of our relationship, and  (since our
tools don't make use of this information) it would not provide any
additional benefit to either of us.  So why would anyone make such a
public certification?

If someone can describe an actual benefit, i can decide whether it's
worth the tradeoff that comes from the extra data in the social graph
implied by the WoT.  But as it stands, i don't think there's even a
tradeoff to be made.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110408/a83a8b3d/attachment.pgp>