On 03/21/2011 04:18 PM, Daniel Kahn Gillmor wrote: > On 03/21/2011 04:05 PM, David Shaw wrote: >> While the common usage for regular users is to sign based on checking >> identity, signatures can be just as well used as a token to indicate >> membership. For example, the PGP product has the concept of a "Corporate >> Signing Key", which is used to sign employee keys to indicate they are >> genuine (and their keyserver can actually enforce this). They are not >> signing to say that Alice is Alice, they are signing to say that Alice is >> Alice, and works for Company X (i.e. they would not sign Alice's personal >> key). >> >> If I was going to do this with a group, like above, I'd probably make a >> special Group Signing Key to issue the membership signatures to avoid >> confusing my personal signatures with the group membership ones, though. > > If i was going to try to indicate more than a simple identity binding > with an OpenPGP signature, i'd define an OpenPGP notation [0] and > include the relevant subpacket in my signature. > > This way, the same signing key is capable of making identity > certifications *and* identity+metadata certifications. >
But that doesn't provide any easy way for me to only trust your identity+metadata certifications, if, for example, I trust you to sign in your role for a company, but don't trust or care about your personally-issued sigs. Instead of signing your key, I need to manually inspect any and all keys that may have your signature. -- -Grant "Look around! Can you construct some sort of rudimentary lathe?"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users