trust your corporation for keyowner identification?

Robert J. Hansen rjh at
Wed Oct 23 00:01:46 CEST 2013

On 10/22/2013 11:01 AM, Stan Tobias wrote:
> But this is not a real identification - almost none of us
> has means to confirm an identity, which is a job for a detective.

Last time I walked into a courthouse to speak with a judge the marshal
asked for my driver's license -- he checked the photograph to make sure
it was me, held it up to the light to check for a hologram, then checked
the logbook to see if I was an expected visitor.  Once he saw my name
listed in the logbook he gave my driver's license back and buzzed me in.
 As far as the U.S. Marshal was concerned, my identity had been proven
to a sufficient degree.  He certainly didn't conduct a background check
on me.

(My father and cousin are both judges, if you're wondering why I visit
courthouses so often.)

That phrase, "to a sufficient degree," is important.  You cannot ever
verify someone's identity 100%, not even with DNA testing -- it's always
possible they have an identical twin, always possible the lab work was
sloppy and done in error, etc.  What you want to do instead is have a
certain level of confidence in someone's identity.

For some people, that level of confidence is "this person says they are
so-and-so."  For other people, that level of confidence is "this person
has a passport saying they are so-and-so."

OpenPGP is completely silent about what level of confidence you should
have for a certification.  It only says that when you sign a
certificate, you are making an assertion about identity: that, to a
level exceeding your threshold of certainty, such-and-such an identifier
is an accurate descriptor for the individual or agency who controls the
private part of a certificate.

More information about the Gnupg-users mailing list