On Tue, 25 Jul 2006, Tony Whitmore wrote:
Thanks Atom, that article was linked to from the thread suggested
yesterday. It covers some interesting etiquette points, and certainly
doesn't mention using a encrypted block of random data to further verify
identity:
"If required, they may take this opportunity to present each other with
formal identification. After enjoying each others' company, they each
return home, verify each others' key information to be correct (between
the papers they exchanged and the keys they are about to sign), and sign
each others' keys. They may then exchange signed keys."
Yet it's already been suggested in this thread that this represents
insufficient verification.
As I mentioned yesterday, I understand that it's my decision whether to
trust any particular piece of identification. I thought it would be
worth finding out whether there are any actual arguments for or against
accepting such ID which would help inform my decision.
====================
what form of ID cannot be forged, stolen or otherwise compromised? if
everyone had govt issued tattoos, or RFID implants, would that be 100%
trustworthy? what about biometrics?
to make things worse, we can't even trust multiple forms of ID (passport +
DL + credit cards + library card + employee ID, etc) because fake IDs are
often obtained/established using other fake IDs.
there are even cases where people have spent years being married to
someone and the spouse wasn't who they claimed to be. other than my
immediate family, is there anyone whose identity i can *really* be 100%
certain of? can i even trust my immediate family?
given this, it's really somewhat hopeless to think that you can absolutely
verify the identity of someone you just met... but even if you can't
absolutely verify (earning a level 3 signature) someone's identity, you
can still issue a level one or two signature based on your level of
confidence that the person is who they claim to be.
if you follow the protocol outlined in the article you can at least
demonstrate that the person controls the private key and email address.
since legal names are not designed to be 100% unique (i know of several
people named "george bush") we can, to a certain extent, blur the line
between real names and pseudonyms... in sci-fi we can often think of
identification as an absolute, but in the real world it's blurry.
my own current [informal] policy is that only people i have personally
known for extended periods of time can get a level 3 signature from me
(and i recognize that even this is not 100% accurate). if i just meet
someone at a key signing party and they show me some ID that earns a level
2 signature. in no way am i implying that this policy is right and
everything else is wrong... that's just the way i'm currently doing it.
everyone needs to figure it out for themselves, and do what makes the most
sense to them.
--
...atom
________________________
http://atom.smasher.org/
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Reality is that which, when you stop believing in it,
doesn't go away."
-- Philip K. Dick
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
