Re: kernel.org status: establishing a PGP web of trust

From: Valdis . Kletnieks
Date: Wed Oct 05 2011 - 00:23:54 EST

Next message: Valdis . Kletnieks: "Re: kernel.org status: establishing a PGP web of trust"
Previous message: starlight: "Re: big picture UDP/IP performance question re 2.6.18 -> 2.6.32"
In reply to: Adrian Bunk: "Re: kernel.org status: establishing a PGP web of trust"
Next in thread: Arnaud Lacombe: "Re: kernel.org status: establishing a PGP web of trust"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 05 Oct 2011 01:39:32 +0300, Adrian Bunk said:

> But the semantics of PGP key signing is that you certify that you
> verified that a photo ID of that person matches the name on the key.

No. The semantics are that you've verified the person matches the key.
Photo ID's are *one way* of doing it.

http://www.gnupg.org/gph/en/manual.html

The GNU Privacy Handbook says (under 'Importing a Public Key'):

"A key's fingerprint is verified with the key's owner. This may be done in
person or over the phone or through any other means as long as you can
guarantee that you are communicating with the key's true owner. If the
fingerprint you get is the same as the fingerprint the key's owner gets, then
you can be sure that you have a correct copy of the key."

Now, if you're doing a PGP keysigning, then yes, checking government-issued ID
is probably the only sane way to verify 50 or 100 people's identities in an
hour. But if you have other trustable channels of doing so, that's considerd OK
too.

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Valdis . Kletnieks: "Re: kernel.org status: establishing a PGP web of trust"
Previous message: starlight: "Re: big picture UDP/IP performance question re 2.6.18 -> 2.6.32"
In reply to: Adrian Bunk: "Re: kernel.org status: establishing a PGP web of trust"
Next in thread: Arnaud Lacombe: "Re: kernel.org status: establishing a PGP web of trust"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]