Obtaining sig2 and sig3 signatures
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue May 30 23:25:46 CEST 2017
On Tue 2017-05-30 21:25:24 +0200, Stefan Claas wrote:
> Let's assume we would exchange signed emails (PGP/SMIME) would these proofs
> be enough for you to warrant a sig2? And for a sig3 an additional video
> conference?
>
> The classical procedure would be to sign a key with a sig3 after seeing
> the persons id-card in a real meeting. But who guarantees that the
> id-card is not fake (if the person is a complete stranger)?
I don't recommend that anyone make a sig1, sig2, or sig3 for any
third-party certification (sig3 is fine for self-signatures, where the
keyholder asserts their own identity).
sig0 -- the default, generic certification -- is fine, does what people
need of it, and doesn't intentionally leak any more of the social graph
than it needs to.
In GnuPG, this is accessed via the "--ask-cert-level" flag. I explain
my reasoning further in a blog post titled "gpg --ask-cert-level
considered harmful":
https://debian-administration.org/users/dkg/weblog/98
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170530/bf6e6d3c/attachment.sig>
More information about the Gnupg-users
mailing list