On Wed, Jul 13, 2016 at 01:04:14PM +0000, Gianfranco Costamagna wrote: > >I don't know how I'd sign their key, but I'd be willing to. > *HOW* can he get signatures? *WHO* can verify the identity? > *WHO* is in charge of keeping it private? (DAM?) > *IS* acceptable to sign an identity without knowing the person behind it?
I sign a uid on a key when I know that the key actually belongs to the person who goes with that name/email address. I have signed a key knowing that the name on the uids did not match a name on their government issued ID papers. I have worked with the entity known with that UID for years, both online and in person at DebConfs, and at some point I got his key fingerprint from him in person and signed his key. I could most certainly certify that that GPG key was owned by the person widely known with that name. I have also signed several keys whose full name on the government issued ID did not really match the UID on the GPG key, because no, really, seriously, people called them "GiĆ³", not "Giovanni Giorgio Piermaria Vladimiro Uliano Secondo". There are many ways of defining identity and reputation, each with their ups and downs. A govenment issued ID is one of many ways of defining identity, which delegates certification to a nation state or a good forger. Personal experience with the person is another. There can be others. Looking back, among the various keys that I signed over the years, those that I signed knowing that the UIDs were pseudonyms are, by far, those for which I'm most confident of the identity of their owners, exactly because my experience of their identity went way beyond a quick look at their passport. Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>
signature.asc
Description: PGP signature