personal signing policy? - PGP

This is a discussion on personal signing policy? - PGP ; Hi everyone, I'm currently thinking about when to sign another ones public key. I often hear/read that you should check the other persons ID card or similar proof of identity. This is of course a good thing, but also often ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: personal signing policy?

  1. personal signing policy?

    Hi everyone,

    I'm currently thinking about when to sign another ones public key.
    I often hear/read that you should check the other persons ID card or
    similar proof of identity. This is of course a good thing, but also
    often very complicated. It seems to me quite far from real life
    practicability and also not the most important issue.

    Is it really all about identity? Isn't some other kind of trust of
    similar value?
    It occurred to me that I never checked the ID card of another person in
    real life.
    I don't really care if my friend John is named John Smith or John Doe as
    long as I know I can trust him. I'm willing to borrow him my lawn mower
    even if his name should be Andy as long as it is the same person.
    If we personally exchanged the fingerprints of our keys, should I sign
    his, even if I have no proof of identity? (assuming I want to encrypt
    the mower)

    If I make business with another person I usually don't check their
    identity. I start with small business and if that goes well I go up in
    value. As long as they continue to use the same key I'm willing to trust
    them. Should I sign their key?

    On the other hand, I know that some robots sign keys if they know the
    email is read by someone (like PGP Global Directory Verification). That
    seems a very low level of checking to me.

    What is your personal signing policy?

    Is checking the fingerprint by another media than email enough for signing?

    Thanks for any comments,
    Jan

  2. Re: personal signing policy?

    Jan Steffen wrote:
    > Hi everyone,
    >
    > I'm currently thinking about when to sign another ones public key.
    > I often hear/read that you should check the other persons ID card or
    > similar proof of identity. This is of course a good thing, but also
    > often very complicated. It seems to me quite far from real life
    > practicability and also not the most important issue.
    >
    > Is it really all about identity? Isn't some other kind of trust of
    > similar value?
    > It occurred to me that I never checked the ID card of another person in
    > real life.
    > I don't really care if my friend John is named John Smith or John Doe as
    > long as I know I can trust him. I'm willing to borrow him my lawn mower
    > even if his name should be Andy as long as it is the same person.
    > If we personally exchanged the fingerprints of our keys, should I sign
    > his, even if I have no proof of identity? (assuming I want to encrypt
    > the mower)
    >
    > If I make business with another person I usually don't check their
    > identity. I start with small business and if that goes well I go up in
    > value. As long as they continue to use the same key I'm willing to trust
    > them. Should I sign their key?
    >
    > On the other hand, I know that some robots sign keys if they know the
    > email is read by someone (like PGP Global Directory Verification). That
    > seems a very low level of checking to me.
    >
    > What is your personal signing policy?
    >
    > Is checking the fingerprint by another media than email enough for signing?
    >
    > Thanks for any comments,
    > Jan


    For those keys that I am quite sure the indicated ownership is true, I
    sign the keys but mark my signature as non-exportable. This covers the
    case where I really don't know the owner and have never obtained
    positive identification. An example is the US-CERT Master Key-siging
    key, which is used to sign the US-CERT Publications key used in
    announcing computer vulnerabilities. Because my signature is
    non-exportable, I remove some risk to others who might otherwise trust
    my signature to validate the US-CERT Master Key-siging key. However, in
    this case, my use of these keys -- signed but not positively identified
    -- is limited to checking signatures; and I exercise some level of
    skepticism even in that use (not as much as for keys I have not signed
    at all).

    Whenever my signature is exportable, I have indeed verified the identity
    of the asserted key owner. If I know the person, I might do this by
    calling him or her at a phone number I know to be correct, hearing that
    person's recognizable voice, and then having that person read the
    fingerprint (not ID), creation date, key-size, and key-type (RSS or
    DH/DSS) to me. Having done this with a prior key, I might rely on the
    fact that a newer key from her or him was signed by that prior key.

    For me to sign a total stranger's key and mark my signature exportable,
    I would want to see two forms of ID: One piece must include a picture
    ID (e.g.: passport, driver's license). The other piece may be another
    picture ID, first-class business mail addressed to the person (e.g.: a
    utility bill), a check that he or she signed and then received back from
    the bank as paid and cancelled, et cetera. Having positively identified
    the person, I then want him or her to give me the same four key
    properties -- fingerprint, date, size, and type -- before I sign the key.

    Before applying an exportable signature to someone else's key, you need
    to take two actions:
    (1) Obtain positive identification of the key's asserted owner.
    (2) Obtain confirmation from that person that she or he indeed claims
    ownership of the key.
    You can't do either of these by relying on the key itself. Of course,
    you must also trust that person not to claim ownership of someone else's
    key.

    Finally, there is the important exception based on the Web of Trust when
    you obtain a key from someone unknown to you (e.g., Bob) that was signed
    by someone else (e.g., Sue). If you have Sue's key, have positively
    identified Sue and confirmed her ownership of that key (i.e., you have
    signed it), and know Sue to be careful when signing keys (i.e., you have
    set the Trust indicator), Sue's signature on Bob's key might be
    sufficient for you to sign Bob's key, too. Bob's key is even further
    validated if still someone else (e.g., Sam) that you trust as much as
    you trust Sue has signed Bob's key (again given that you have identified
    Sam and signed his key).

    --

    David E. Ross


    Concerned about someone (e.g., Pres. Bush) snooping
    into your E-mail? Use PGP.
    See my

+ Reply to Thread