Robert J. Hansen wrote: > Because of these three factors--no semantic meaning > associated with certification levels, some OpenPGP > implementations not supporting the distinctions, and many > implementations making it easy to forget that such > distinctions exist--my default policy is to treat all > signatures as unchecked persona-level IDs unless I know the > signer personally and know they have a signature policy.
Even that strict policy is hardly sensible, but it is better than the policies that are often promoted. I don't see how a keysigning party works. Anybody that participates by showing ID is reducing their personal privacy by divulging their personal information. Furthermore, caring around such ID is much more likely to create a security problem (if it is lost or stolen) than anything GPG can prevent. Finally, we give up a lot of personal security when we give our personal information to governments to get our government-issued IDs, which I think is a big mistake. Especially, when I was staying in Thailand, I saw firsthand how governments (Thai, American, and every other one) use ID controls to repress people they don't like. Anybody that insists on government-issued ID for authentication is doing the world a disservice. For all those reasons, I am willing to sign anybody's keys at any level without any authentication, using as many different signatures as they require. And, I will do so with a set of keys that are not linked to my (online or real-life) identity, so they cannot be blacklisted. Actually, I would like to create a network of people with the same key-signing policy. In doing so, I think it will be easy to demonstrate why the current implementation of the web-of-trust via keysigining is inadequate, especially when such a network of people participate in keysigning parties to promote the authority of their own (bogus) signatures. In an ideal world, the fact that I am disclosing this information in advance should mean that mobody will sign my PGP key at any keysigning party. I don't know how many I will be able to attend, but I will attempt to get as many as signatures as I can, alternatively using my birth name and a name of my own choosing (possibly copied from somebody with a coincidentally similar appearance). It will be interesting to see how many people will give me a level 5 classification with an identity that can be traced back directly to this message. - Brian _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users