Randall, You are free to use whatever system you want to use in determining what keys to sign. All I am doing is pointing out what is common, and what is commonly frowned upon. A standard baseline is that you have a) met the person, 2) seen a photo ID, and d) verified cryptographically that they control the private key. The last step is usually done through exchanging signatures after the key party.
On Sat, Mar 31, 2012 at 6:23 AM, Randall Leeds <[email protected]>wrote: > On Fri, Mar 30, 2012 at 17:23, Jason Smith <[email protected]> wrote: > > You are not confirming that somebody is who he says he is. You are > > simply confirming that he bears the key that he says he has. The > > latter is a much simpler problem. > > That's precisely my point. I have a giant stack of evidence that says > Noah bears this key. > > Also related to my anecdote about signing parties I've experienced, > wherein nobody asks me to prove that I own the private key, I'll note > it's sort of unnecessary. Signing *their* keys and publishing that > demonstrates that I own the private keys corresponding to my identity > of my signature. But for that first signature with an unconnected > other, it seems like the "right" thing has nothing to do with driver's > licenses or photo ID, but everything to do with exchanging a signed > message over a secure channel, which is slightly more than "hey, the > fingerprints on our screens match", which just says that you're > talking about the same key (whose owner may or may not be present). >
