On Fri, Aug 01, 2003 at 11:30:25PM +0300, Dan Armak wrote:
> Hi all,
Hello,
>
> 1. What we actually check when we look at someone's ID card/driver's license/
> passport/etc, is that he's an Israeli (or other) citizen under that name. But
> we don't actually check he has access to the private key in question. After
> all, everyone knows my pub key ID and fingerprint. This may be a hole hard to
> exploit, but I still don't like it.
>
> Possible solution: create a test text/file on the spot at the keysigning party
> and require participants to sign it, thus demonstrating they indeed have the
> private key. The problem with this is that everyone would have to bring a
> laptop or have access to an utterly trustable machine, so it seems
> impractical at this point.
>
> If and when we get keypair-based digital IDs instead of paper ones, there
> should also be commodity carryable devices used to sign with those keys, so
> this poblem will be solved. Any other solutions meanwhile?
>
1. Not a full solution but still. Have the place of the key signing
party have a net access and an ssh client so that people that can
access their private key with ssh would be able to remote sign it.
Somewhat alleviate the utterly trustable machine problem, unless
there is no facility to gpg remotely or some other issue that I
missed.
2. I believe we can build a reasonable ring of trust already. Not a
first hand signing but should be pretty close due to the small
community and the small depth of the existing rings.
--
Shaul Karl, shaul @ actcom . net . il
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
