Hi, On 05/30/2017 09:25 PM, Stefan Claas wrote:
The classical procedure would be to sign a key with a sig3 after seeing the persons id-card in a real meeting. But who guarantees that the id-card is not fake (if the person is a complete stranger)?
Well, no one. You rely on the ability of the signer to distinguish between a real ID-card and a fake ID-card. Of course, not everyone can spot a well-crafted fake ID (I certainly cannot).
That's one reason why some people actually object to key-signing parties where participants are required to show an ID-card. Another reason is that requiring an ID-card is equivalent to trusting the government emitting those cards, and not everyone is OK with that (after all one of the goals of the web-of-trust is to avoid the need for centralized authorities).
Please note, i don't want to ask people here to sign my pub key, i just want to know what your thoughts are. :-)
I think that, for most users, certification levels are actually useless due to the fact that the different certification levels don't have an universally recognized meaning.
The OpenPGP standard (RFC 4880) says nothing about the meaning of certification levels 2 and 3. It is up to the signing user to decide what is a "casual certification" (level 2) and what is a "positive certification" (level 3).
With the meaning of a sig2 or a sig3 depending on the certification policy of the signer, the whole feature is quite pointless in my opinion.
(Maybe certification levels can still be useful when OpenPGP is used in a closed, controlled setup--e.g. within an organization which can define its own rules, to be followed by all its members. Maybe.)
Incidentally, I also think that many users will be much happier with the TOFU trust model, where they won't have to care about all this "key signing stuff" (unless they want to). Discussing about certification levels will likely be irrelevant when TOFU will become the default trust model.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
