Keysigning @ CFP2003

[Len Sassaman]

On Mon, 24 Mar 2003, Ian Grigg wrote:

> I must be out of touch - since when did
> PGP key signing require a photo id?

It does not. It is improper for a key-signing organizer to dictate signing
policy to individuals. When I wrote the Efficient Group Key Signing Method
paper[1], I specifically omitted identity verification steps, since it is
no one's business but the holder of the key (and those who trust that key
as an introducer) what information the holder requires before signing.

Incidentally, the GnuPG FAQ perpetuates this fallacy, so Doug is probably
not to blame for this mistake. There are better ways of determining
identity, and one of the benefits of PGP is that we aren't locked in to a
strict, rigid model of how trust is to be assigned. Convincing people that
[easily forged] government IDs are sufficient to verify identity is a
dangerous practice.

A better thing to do is to announce in the key-signing notice that
individuals may want to bring government ID in the case that someone
attending will require it to satisfy his signing policy -- rather than
dictating signing policy to your participants.


--Len.

[1] http://sion.quickie.net/keysigning.txt


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com