David Shaw wrote: > On Mon, Jul 24, 2006 at 09:50:22PM +0100, Tony Whitmore wrote: >> First: Is a photo driving licence considered adequate identification? >> I'm in the UK so we have UK / EU photo driving licences. I have >> previously only used passports as ID, but some people were presenting >> driving licences instead. > > It depends on what *you* think. Some people do accept driver licences > as adequate identification. Some don't. I do, for what it's worth.
I understand there is a personal decision to be made here, and that I have responsibility to be satisfied with the ID, but I don't know whether there are good arguments for/against accepting photo driving licences. >> Second: I've already had back some e-mails, encrypted with my public >> key, with signatures attached ready for me to upload to a keyserver. I >> usually use the procedure described at [1], which requires the >> additional verification of the encryption, exchange and decryption of a >> random amount of text before signatures are sent. Obviously I have to be >> able to decrypt the e-mail successfully to access the signature they >> have sent me, but is this considered a safe and appropriate way to sign >> keys? > > No, it's not. Some people do it, though. :( I suppose I have the option of not uploading their signature to a public keyserver, but presumably these people are damaging the web of trust in signing keys in this way? > Note that there is a difference between what page at > http://www.hantslug.org.uk/cgi-bin/wiki.pl?LinuxHints/KeySigning says > and what you say above. The page (correctly) notes that all that is > necessary is that the person *sign* the challenge before sending it > back to you. The page makes clear ("encrypted, if you like") that > encryption is optional here, and adds little to what you are trying to > prove. It doesn't matter if other people can read the signed > challenge or not. Of course, it doesn't hurt to encrypt, so long as > it is understood that it doesn't really help either. Yes, I realise I didn't phrase my explanation very well. The procedure I use is as described on the referenced web page. What should have been a separate comment was in regard to the encrypted e-mails *I* have been sent with signatures attached. In order to access the attached signature file, I have to be able to decrypt the e-mail, meaning I have to have access to my private key. If I don't have the private key, I can't decrypt the e-mail and can't access the signature to upload it. This seems to provide some sort of checking that the e-mail address ties up with the public and private keys, but again I'd like to hear what other people think. > Take a look at the thread starting at > http://lists.gnupg.org/pipermail/gnupg-users/2006-July/028949.html Thank you, I will do so. Tony
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
