Obtaining sig2 and sig3 signatures

Damien Goutte-Gattat dgouttegattat at incenp.org
Wed May 31 01:22:15 CEST 2017


On 05/30/2017 09:25 PM, Stefan Claas wrote:
> The classical procedure would be to sign a key with a sig3 after seeing
> the persons id-card in a real meeting. But who guarantees that the
> id-card is not fake (if the person is a complete stranger)?

Well, no one. You rely on the ability of the signer to distinguish 
between a real ID-card and a fake ID-card. Of course, not everyone can 
spot a well-crafted fake ID (I certainly cannot).

That's one reason why some people actually object to key-signing parties 
where participants are required to show an ID-card. Another reason is 
that requiring an ID-card is equivalent to trusting the government 
emitting those cards, and not everyone is OK with that (after all one of 
the goals of the web-of-trust is to avoid the need for centralized 

> Please note, i don't want to ask people here to sign my pub key, i just
> want to know what your thoughts are. :-)

I think that, for most users, certification levels are actually useless 
due to the fact that the different certification levels don't have an 
universally recognized meaning.

The OpenPGP standard (RFC 4880) says nothing about the meaning of 
certification levels 2 and 3. It is up to the signing user to decide 
what is a "casual certification" (level 2) and what is a "positive 
certification" (level 3).

With the meaning of a sig2 or a sig3 depending on the certification 
policy of the signer, the whole feature is quite pointless in my opinion.

(Maybe certification levels can still be useful when OpenPGP is used in 
a closed, controlled setup--e.g. within an organization which can define 
its own rules, to be followed by all its members. Maybe.)

Incidentally, I also think that many users will be much happier with the 
TOFU trust model, where they won't have to care about all this "key 
signing stuff" (unless they want to). Discussing about certification 
levels will likely be irrelevant when TOFU will become the default trust 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170531/b910cffd/attachment.sig>

More information about the Gnupg-users mailing list