trust your corporation for keyowner identification?

Paul R. Ramer free10pro at gmail.com
Fri Oct 25 02:44:35 CEST 2013


"Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
>On 10/22/2013 11:01 AM, Stan Tobias wrote:
>That phrase, "to a sufficient degree," is important.  You cannot ever
>verify someone's identity 100%, not even with DNA testing -- it's
>always
>possible they have an identical twin, always possible the lab work was
>sloppy and done in error, etc.  What you want to do instead is have a
>certain level of confidence in someone's identity.
>
>For some people, that level of confidence is "this person says they are
>so-and-so."  For other people, that level of confidence is "this person
>has a passport saying they are so-and-so."

This is the point. Every person using OpenPGP needs to make their own decisions about what constitutes an acceptable level of certainty that the person who's identity is being verified and checked against the UIDs on his purported key are valid.

>OpenPGP is completely silent about what level of confidence you should
>have for a certification.  It only says that when you sign a
>certificate, you are making an assertion about identity: that, to a
>level exceeding your threshold of certainty, such-and-such an
>identifier
>is an accurate descriptor for the individual or agency who controls the
>private part of a certificate.

Even if OpenPGP were not silent on this matter. You would still need to know how someone (even someone you know very well) verifies another person's identity and keys.  Assumptions are for fools.  You can't blindly believe that the verifying individual is doing it "right".

Cheers,

--Paul

--
PGP: 3DB6D884



More information about the Gnupg-users mailing list