On 6 September 2011 00:17, Ben Laurie <[email protected]> wrote: > > a) Who cares? PGP is for email and other online transactions, your > government (or whatever) issued ID is irrelevant. >
Not just for email - it's very useful for cryptographic signatures for many applications. I'd be happy to discuss it with you either during Q&A or during the day if you'd like. I am by no means an expert, just someone who has received the talk one too many times and has offered to re-gurgitate my experiences. The Government issued ID allows me to assert that you are not just a random person passing yourself off as someone else to help them get as many signatures as possible. High quality forgeries will fool me, but if you're performing high quality forgeries there are better ways of manipulating the system than getting me to sign your key. Should someone realise the documents are indeed forgeries, that person is more than likely going to raise the alarm and potentially email all the signatures asking for a revocation of the signatures to that key. > b) Who is qualified to check such documents? You are. You're confirming that the person who has submitted their key is the same person in the ID you are inspecting. There are levels of trust you can set within GPG so that you can set a particular person as "ultimately trusted" right down to "I don't really trust at all". Some people go to extremes and publish signing policies on what kind of ID checks get which level of trust, but I just mark everyone that satisfies my simple criteria as "I trust" in verifying others IDs. I, for instance, don't set an expiry date on my key, which has caused some people to "trust" me less. If you don't agree with my stance on the keysigning, don't sign my key - or if you do, sign it with very weak trust. It's not rude, it's not snide, it's just that you have a higher sense of security than I do. On a similar note, I wouldn't do key-signing at all if it involved responsible third parties with suitable qualifications in order to verify the authenticity of documents because it has then slipped from being trivial to being a chore. The primary reason I sign keys is not to enhance the web of trust through my new connections (though that is a key benefit) but in meeting new and interesting people. I hope we can have a brief chat about it tomorrow, as I have to be up in 5 hours to drive to Bristol ;) Matthew Walster
