Re: personal signing policy?
Jan Steffen wrote:[color=blue]
> Hi everyone,
> I'm currently thinking about when to sign another ones public key.
> I often hear/read that you should check the other persons ID card or
> similar proof of identity. This is of course a good thing, but also
> often very complicated. It seems to me quite far from real life
> practicability and also not the most important issue.
> Is it really all about identity? Isn't some other kind of trust of
> similar value?
> It occurred to me that I never checked the ID card of another person in
> real life.
> I don't really care if my friend John is named John Smith or John Doe as
> long as I know I can trust him. I'm willing to borrow him my lawn mower
> even if his name should be Andy as long as it is the same person.
> If we personally exchanged the fingerprints of our keys, should I sign
> his, even if I have no proof of identity? (assuming I want to encrypt
> the mower)
> If I make business with another person I usually don't check their
> identity. I start with small business and if that goes well I go up in
> value. As long as they continue to use the same key I'm willing to trust
> them. Should I sign their key?
> On the other hand, I know that some robots sign keys if they know the
> email is read by someone (like PGP Global Directory Verification). That
> seems a very low level of checking to me.
> What is your personal signing policy?
> Is checking the fingerprint by another media than email enough for signing?
> Thanks for any comments,
For those keys that I am quite sure the indicated ownership is true, I
sign the keys but mark my signature as non-exportable. This covers the
case where I really don't know the owner and have never obtained
positive identification. An example is the US-CERT Master Key-siging
key, which is used to sign the US-CERT Publications key used in
announcing computer vulnerabilities. Because my signature is
non-exportable, I remove some risk to others who might otherwise trust
my signature to validate the US-CERT Master Key-siging key. However, in
this case, my use of these keys -- signed but not positively identified
-- is limited to checking signatures; and I exercise some level of
skepticism even in that use (not as much as for keys I have not signed
Whenever my signature is exportable, I have indeed verified the identity
of the asserted key owner. If I know the person, I might do this by
calling him or her at a phone number I know to be correct, hearing that
person's recognizable voice, and then having that person read the
fingerprint (not ID), creation date, key-size, and key-type (RSS or
DH/DSS) to me. Having done this with a prior key, I might rely on the
fact that a newer key from her or him was signed by that prior key.
For me to sign a total stranger's key and mark my signature exportable,
I would want to see two forms of ID: One piece must include a picture
ID (e.g.: passport, driver's license). The other piece may be another
picture ID, first-class business mail addressed to the person (e.g.: a
utility bill), a check that he or she signed and then received back from
the bank as paid and cancelled, et cetera. Having positively identified
the person, I then want him or her to give me the same four key
properties -- fingerprint, date, size, and type -- before I sign the key.
Before applying an exportable signature to someone else's key, you need
to take two actions:
(1) Obtain positive identification of the key's asserted owner.
(2) Obtain confirmation from that person that she or he indeed claims
ownership of the key.
You can't do either of these by relying on the key itself. Of course,
you must also trust that person not to claim ownership of someone else's
Finally, there is the important exception based on the Web of Trust when
you obtain a key from someone unknown to you (e.g., Bob) that was signed
by someone else (e.g., Sue). If you have Sue's key, have positively
identified Sue and confirmed her ownership of that key (i.e., you have
signed it), and know Sue to be careful when signing keys (i.e., you have
set the Trust indicator), Sue's signature on Bob's key might be
sufficient for you to sign Bob's key, too. Bob's key is even further
validated if still someone else (e.g., Sam) that you trust as much as
you trust Sue has signed Bob's key (again given that you have identified
Sam and signed his key).
David E. Ross
Concerned about someone (e.g., Pres. Bush) snooping
into your E-mail? Use PGP.
See my <http://www.rossde.com/PGP/>