[EMAIL PROTECTED] wrote: > > And the final 'objection' is more of a philosophical one: what is IDENTITY? > If I know a person only by email, then that email *is* the person to me. > And I know many people just by email and we are probably never going to > meet IRL, except for some strange coincidence.
I find this point to be an important one. The focus of all the GPG documentation and recommendations and so forth is far too much on "real world" identity, i.e. physical documents, passports/drivers license/national ID/etc. But it is not intended, or at least not primarily used, in situations where that matters. It gets the most use in Internet communications, protecting things that are unlikely to get anyone sued or such where tracing a person to their physical identity is useful. For this sort of reason, I was disappointed that GnuPG 1.4.x de-emphasized the "certification levels". It's helpful to be able to state what you're willing to certify ... e.g. a level 3 sig indicates confidence in the name, while a level 1 sig indicates confidence in the email (or whatever someone may use) The UID format is also problematic IMO. GPG (OpenPGP?) strongly "wants" to have a Name and an email address for each UID. I think that this puts emphasis in a bad place, leading people to be signing the fact that e.g. "Alex Mauer belongs with [EMAIL PROTECTED]", rather than "Alex Mauer belongs with key 0x51192ff2" and "[EMAIL PROTECTED] belongs with key 0x51192ff2". The photo UID type fits much better, being a statement that "this is a photo of the person who uses 0x51192ff2". But it is comparatively easy to verify that the email goes with the key (I'll [locally] trust robots such as keyserver.pgp.com to do this); it is /much/ harder to verify that the name goes with either the key or the email address ... or even the physical person with ID when you meet them. (twins are not sufficiently uncommon) I'd even go so far as to say that it's entirely impossible to be 100% sure. Fortunately the situations where it matters are few and far between, particularly for email over the internet. -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 0x51192FF2 @ subkeys.pgp.net
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
