Obtaining sig2 and sig3 signatures
dgouttegattat at incenp.org
Wed May 31 01:22:15 CEST 2017
On 05/30/2017 09:25 PM, Stefan Claas wrote:
> The classical procedure would be to sign a key with a sig3 after seeing
> the persons id-card in a real meeting. But who guarantees that the
> id-card is not fake (if the person is a complete stranger)?
Well, no one. You rely on the ability of the signer to distinguish
between a real ID-card and a fake ID-card. Of course, not everyone can
spot a well-crafted fake ID (I certainly cannot).
That's one reason why some people actually object to key-signing parties
where participants are required to show an ID-card. Another reason is
that requiring an ID-card is equivalent to trusting the government
emitting those cards, and not everyone is OK with that (after all one of
the goals of the web-of-trust is to avoid the need for centralized
> Please note, i don't want to ask people here to sign my pub key, i just
> want to know what your thoughts are. :-)
I think that, for most users, certification levels are actually useless
due to the fact that the different certification levels don't have an
universally recognized meaning.
The OpenPGP standard (RFC 4880) says nothing about the meaning of
certification levels 2 and 3. It is up to the signing user to decide
what is a "casual certification" (level 2) and what is a "positive
certification" (level 3).
With the meaning of a sig2 or a sig3 depending on the certification
policy of the signer, the whole feature is quite pointless in my opinion.
(Maybe certification levels can still be useful when OpenPGP is used in
a closed, controlled setup--e.g. within an organization which can define
its own rules, to be followed by all its members. Maybe.)
Incidentally, I also think that many users will be much happier with the
TOFU trust model, where they won't have to care about all this "key
signing stuff" (unless they want to). Discussing about certification
levels will likely be irrelevant when TOFU will become the default trust
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users