Robert L Cochran wrote: > Todd, this is an interesting discussion. You are saying someone > should make an effort to verify another person's identity as a > condition of signing a key. I think such an effort is admirable but > is not worth that time and effort. You are free to that opinion, but you should be aware that many people who use gpg will not agree with you and will place little to no value in any signatures you issue on keys if your policy for signing keys includes no attempt to check the key owner's purported identity. :) > I've actually gone out to different places as a Thawte "notary" to > meet with different people asking me to authenticate them. They > just need to show me two bits of identification and one of these has > to be a photo id. > > Now how am I to know whether the documents I am provided at this > meeting are genuine and were really issued to the person sitting in > front of me? I don't. I have no way to check whether the passport > or the driver's license really is valid. Someone can give me a sweat > soaked, grimy passport from Denmark or France or USA and I have no > idea whether it is genuine. The only thing I can do is decide > whether the photo on the document is that of the person sitting in > front of me. But that doesn't validate the document itself or the > person's identity. I still do not have proof of identity. What I > have is a piece of paper or plastic that asserts an identity and > which I have no recourse but to accept, as long as the photo looks > like the person presenting the document to me. This is true. It's obviously next to impossible to ever fully "prove" your identity to someone else. What's really desired IMO is to verify that someone is using a consistent identity. If you pass yourself off as Robert L Cochran in many contexts and have photo ID that shows this, then whether or not you truly are named Robert L Cochran or not, you've still established that as an identity. As far as the PGP web of trust is concerned, others that have met you as Robert L Cochran can begin to gain trust in this identity based on the signatures of other users who have also met you as Robert L Cochran. > Many passports contain microchips with information about the holder > of the passport. But no ordinary person has access to the > information on the chip, and is unable to validate it. "Smart cards" > are wonderful for the issuing authorities. They are terrible for the > person in a Starbucks trying to assess whether the document and > therefore the identity is valid. when you really get down to it, do you trust the "issuing authorities" to truly be authoritative and trustworthy in the task of identifying individuals? Honestly, I don't. (I think most governments are in over their heads when it comes to mail delivery, so most of the more important tasks are way beyond their abilities to do properly. :) What I'm looking for when checking photo ID is that the holder of the ID is creating a consistent identity that they're using on their key and in person. Whether the name on these documents is their given legal name is outside the scope of what I am able to or interested in validating. Now, if someone has what appears to be an obviously forged ID, I reserve the right to not accept it and not sign their key. > So what was the true value of the identity validation effort? I > think it is wholly in meeting a new person. One whom I don't at all > know. And perhaps the hope of a few minutes chat after signing the > paperwork. I'm unlikely to ever do business with the other party. He > or she may move to the Gobi Desert the next day, for all I know. True, but why sign the person's key at all then? Would you incorporate some sort of email challenge to verify that the user could receive email at the address(es) listed on the key and could sign data using the key? How would you go about checking the key info? Checking that via email opens you up to all sorts of man in the middle games, which is why it's best to trade key info in person (or over the phone if it's someone that you know well enough to recognize their voice). I prefer to sign keys of people I have known for some time. I am willing to sign keys from people I have just met, but with a lower certification level and with several other verification steps required (the ID check, key info check, and an email challenge to each uid on the key). After all of that, what my signature on the key means is that this key matches the ID of the person that presented it to me, has the proper fingerprint, size, type, etc., and that they can receive email at the uid's listed on the key and make signatures using that key. It really says no more than that. Specifically, it doesn't imply that I know them well or trust them for any purpose. That part is left up to each user. >> If that's really all the level of verification that you want out of >> PGP, then you might look at the PGP Global Directory. It is a >> somewhat automated way to sign and validate keys. You submit your >> key to the global directory, they send you an email to verify that >> you control that address. You click the link in the email to >> confirm and they then sign your key with the global directory key. >> Other users can mark the global directory key as trusted. > > That might be good enough for some forms of usage for the key > because it is a uniform, non-subjective standard for the > verification. Maybe someone only wants to be able to send and > recieve encrypted documents on an authenticated basis. If so then > the Global Directory may certainly provide sufficient validation for > that purpose. It really depends on what the senders and recievers > will be satisfied with. Yeah, the PGP global directory is a handy tool that facilitates easy opportunistic encryption among a wider range of people. It is certainly not secure enough for some usage and some people. What's nice about the PGP trust model is that everyone gets to pick who they trust and how much. That's a much more natural thing than the top typical down hierarchies you find in things like SSL/TLS. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ What it means to take rights seriously is that one will honor them even when there is a significant social cost in doing so. -- Ronald Dworkin
Attachment:
pgpHGq0HXvChD.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list