Keysigning @ CFP2003

Jeroen van Gelderen jeroen at vangelderen.org
Tue Mar 25 02:07:49 EST 2003 

On Tuesday, Mar 25, 2003, at 00:36 US/Eastern, Ian Grigg wrote:

> On Tuesday 25 March 2003 00:22, Jeroen van Gelderen wrote:
>> On Monday, Mar 24, 2003, at 22:32 US/Eastern, bear wrote:
>>> On Mon, 24 Mar 2003, Jeroen C. van Gelderen wrote:
>>>
>>>> It's rather efficient if you want to sign a large number of keys of
>>>> people you mostly do not know personally.
>>>
>>> Right, but remember that knowing people personally was supposed
>>> to be part of the point of vouching for their identity to others.
>>
>> Not that I heard of. I always understood that I should be 'convinced'
>> of the identity and willing to state that to others.
>
> Well, that's a surprise to me!  My understanding
> of the PGPid  signature was that the semantics
> were loose, deliberately undefined.  And, within
> that limitation, it came down to "I met this guy,
> he called himself Micky Mouse."

I don't think that is a contradiction. This is just your personal 
requirements for being 'convinced'.

> I've only been to one key signing event, and no
> identity was flashed around that I recall.
>
> So, do we have two completely disjoint communities
> here?  One group that avoids "photo id" and another
> that requires it?  Or is one group or the other so
> small that nobody really noticed?

Nah. I think the photo-id case just makes large key-signing parties 
easier (or possible).

I suspect that for a large group of people (excluding you(?)) the 
following statement holds:

"When I see a new person for 30 seconds she cannot 'convince' me of her 
identity. If a passport is flashed in my face in those 30 seconds I 
actually am quite certain of it."

So there you have it: the difference between being able to sign in 30 
seconds, or not. A practical -if not optimal- way to grow the WoT. This 
does *not* mean photo-id is a pre-condition for signing someone's key. 
It does *not* mean you should sign a key if you are shown a photo-id. 
It just *might* make it possible to sign a key where otherwise no 
certification would be possible.

>> Yes. But PGP doesn't mandate either interpretation. That is what you
>> use your trust knobs for: you decide on a per-user basis how
>> trustworthy an identity certification from that user is. The 
>> redundancy
>> of a well-connected WoT then helps you a bit in eliminating simple
>> errors.
>
> Um.  So, there are people out there that I am convinced
> are who they say they are.  They happen to be nyms,
> but I know that, and they are consistent nyms.  Can I
> sign their key with the highest level?

Why not? It is *your* definition of 'convinced'. Other people will use 
their trust knobs to translate your judgement to their reliance on said 
judgement.

Cheers,
Jeroen
-- 
Jeroen C. van Gelderen - jeroen at vangelderen.org

Western Corporations That Supplied Iraq's Weapons Program:
http://www.thememoryhole.org/corp/iraq-suppliers.htm


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list