Ah, I get it now.

Key signing is one way of certifying identity.
Identity *may* be a contributing factor in trust, but establishing a "Web
of trust" is not the primary objective of the key signing parties.

Thanks,

Adrian




On Tue, Aug 13, 2013 at 4:56 PM, Ben Finney <
ben+freesoftw...@benfinney.id.au> wrote:

> Adrian Colomitchi <acolomit...@gmail.com>
> writes:
>
> > My question: why is there a need for any other ID that's different
> > from the public key?
>
> The entire purpose of a keysigning party is to gather *independent
> verification* that the key ID is correctly associated with that person.
>
> This is why we ask for identifiers that are independent of the web of
> trust, and why we require the person to assert in our presence that the
> key is theirs, and why we prefer identifiers that tend to be easily
> verified and issued by well-known bodies to individual persons by a
> verifiable process.
>
> It is also why no-one needs to sign any key in the presence of anyone
> else. It's entirely up to the signer whether they are satisfied with the
> key-holder's identity, and they can wait until after the party to sign
> or not.
>
> > I.e.: the "sufficient certification" should actually be "We, the
> > signers of this public key, certifies this public key belongs to a
> > person we trust"?
>
> A keysigning party is designed to make it easier for people who may not
> have sufficient people in close proximity who trust merely their word,
> to meet many people at the same time and make worthwhile their efforts
> to present verification of identity.
>
> > (and, of course, refuse to sign a key for any person they don't actually
> > trust, no matter the govt issued ID-es or anything else).
>
> You don't have to trust a person in order to sign their key. You are not
> asserting trust; that's entirely your business, and you never need to
> disclose it.
>
> Rather, your signature on a key says *only* that you have verified the
> person's identity and the person tells you this key is controlled by
> them.
>
> > Why would one need to ask something in addition (impose extra
> > requirements that don't add much to the "trust relationship"?)
>
> Key signatures are about asserting identity, not about trust. Trust
> depends on reliable identity, but is not the same thing.
>
> GnuPG maintains an entirely separate database for trust (specifically,
> your level of trust that the key-holder can competently manage their key
> and signatures) – and it is entirely private to you.
>
> --
>  \          “It's dangerous to be right when the government is wrong.” |
>   `\                                   —Francois Marie Arouet Voltaire |
> _o__)                                                                  |
> Ben Finney
>
> _______________________________________________
> Free-software-melb mailing list
> Free-software-melb@lists.softwarefreedom.com.au
>
> http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-melb
>
>
> Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
>
_______________________________________________
Free-software-melb mailing list
Free-software-melb@lists.softwarefreedom.com.au
http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-melb


Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/

Reply via email to