Ah, I get it now.
Key signing is one way of certifying identity.
Identity *may* be a contributing factor in trust, but establishing a "Web
of trust" is not the primary objective of the key signing parties.
On Tue, Aug 13, 2013 at 4:56 PM, Ben Finney <
> Adrian Colomitchi <acolomit...@gmail.com>
> > My question: why is there a need for any other ID that's different
> > from the public key?
> The entire purpose of a keysigning party is to gather *independent
> verification* that the key ID is correctly associated with that person.
> This is why we ask for identifiers that are independent of the web of
> trust, and why we require the person to assert in our presence that the
> key is theirs, and why we prefer identifiers that tend to be easily
> verified and issued by well-known bodies to individual persons by a
> verifiable process.
> It is also why no-one needs to sign any key in the presence of anyone
> else. It's entirely up to the signer whether they are satisfied with the
> key-holder's identity, and they can wait until after the party to sign
> or not.
> > I.e.: the "sufficient certification" should actually be "We, the
> > signers of this public key, certifies this public key belongs to a
> > person we trust"?
> A keysigning party is designed to make it easier for people who may not
> have sufficient people in close proximity who trust merely their word,
> to meet many people at the same time and make worthwhile their efforts
> to present verification of identity.
> > (and, of course, refuse to sign a key for any person they don't actually
> > trust, no matter the govt issued ID-es or anything else).
> You don't have to trust a person in order to sign their key. You are not
> asserting trust; that's entirely your business, and you never need to
> disclose it.
> Rather, your signature on a key says *only* that you have verified the
> person's identity and the person tells you this key is controlled by
> > Why would one need to ask something in addition (impose extra
> > requirements that don't add much to the "trust relationship"?)
> Key signatures are about asserting identity, not about trust. Trust
> depends on reliable identity, but is not the same thing.
> GnuPG maintains an entirely separate database for trust (specifically,
> your level of trust that the key-holder can competently manage their key
> and signatures) – and it is entirely private to you.
> \ “It's dangerous to be right when the government is wrong.” |
> `\ —Francois Marie Arouet Voltaire |
> _o__) |
> Ben Finney
> Free-software-melb mailing list
> Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
Free-software-melb mailing list
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/