Re: [SLE] Signing pgp/gpg keys [Was: crontab help]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Monday 2006-11-06 at 07:27 -0500, ken wrote:

On 11/05/2006 10:35 PM somebody named Carlos E. R. wrote:

Also, I don't even sign locally keys for which I don't have some kind of
verification, even if marginal, because key checking will not tell me the
diference when reading an email. But that is a personal choice.

Carlos,

I very much appreciate the rigorous care you take when signing others'
keys. I also find the documentation on this aspect of key signing
rather abstract. So to wax phenomenological, I would see a case for
locally signing your (actual) key and would advocate for at least one
descriptive category of signature.

Because you have been posting here for quite awhile with a consistent
key, I can be sure that emails sent to me with this key are from the
same person (unless someone else gets your passphrase or hacks your
private key... but in that case all bets are off anyway).

Right.

If you change
to a new email account and want to prove to me that you are the same
person, all you have to do is send me an email using your current key.

Actually, you can add the new identity to the old key, updload it again to
a key server, and continue using the same key. The same key can have
several ids.

I might not know with any certainty that your name really is Carlos or
anything else about you, but I do know that you are the same person I
have been receiving emails from, even if you send me an email with a
different name and different email address.

Yes.


Conversely, if someone else, say a guy named Scooter, gets control of
your email address (or spoofs it) and, further, uses the name Carlos E.
R., Scooter could fool a lot of people into thinking he was you...
unless people had already imported your key and questioned the fact that
he was not using the key for Carlos E. R. Going on the assumption that
Scooter was not in possession of your private key, he could not prove
(to me, at least) that he was you.

But he might fool you by creating a new key pair and using it. You would
download that key, and the keys would be correct. You might not notice
that the keys used by me and the impersonator were different unless you
checked.


Conversely again, you could change your email address and even change
your name-- to, say, Jorge-- and if you used the same key you are using
now, people who had already imported your key would know that Jorge and
Carlos were the same person. Moreover, were I to (non-locally) sign and
upload your key, other people would/should trust that Jorge and Carlos
E. R. are one and the same person.

Yes.


Now the terms "local" and "non-local" (global?) don't describe very well
this usage. Nor do the given "levels of trust". Given the above
purposes, there's no question as to *how much* I trust the signature,
but rather *what* I trust. The local-global dichotomy doesn't address
this manner of trusting, what I would refer to as "personal" or
"identical" trusting. That is, I don't know your date of birth, street
address, phone number, or even if Carlos E. R. is your true name, but I
don't care about those. (Except for your date of birth, all these
details about you could be legally changed anyway.) The only trust
issue here is personal (and I'm using "person" here in its original,
most fundamental sense, from the Latin "per-sonare", to sound through (a
mask), what an actor in a drama did/does), one of the identity of the
one who may wear different "masks". To trust any communication where
the identity of the person we are communicating with is critical, this
manner of trusting is critical, regardless of whether we call it global
or local.

Right again.


Local signing is just a safeguard, so that I don't upload them
accidentally and others import it. Each person might use it for different
purposes, but the idea is to only sign globally or publicly when we can
certify the identity of that person somewhat. That's how I understand it,
at least.

- --
Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFFT74LtTMYHG2NR9URAuqVAJ9BRAH6y4E6DDDabzZnl8WcdomyggCgkjoq
rLwGwouK90gj/yt8oLhsUro=
=OBT2
-----END PGP SIGNATURE-----


--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx

Relevant Pages

  • Re: [SLE] Signing pgp/gpg keys [Was: crontab help]
    ... I don't even sign locally keys for which I don't have some kind of ... your email address and, further, uses the name Carlos E. ... Nor do the given "levels of trust". ... To announce that there must be no criticism of the president, ...
    (SuSE)
  • Re: [SLE] Signing pgp/gpg keys [Was: crontab help]
    ... so why are you objecting to my signing your key locally? ... But you can not certify to anybody that I'm really named Carlos E. R;-) ... It's a different kind of trust. ...
    (SuSE)
  • Re: [SLE] Signing pgp/gpg keys [Was: crontab help]
    ... On Sunday 05 November 2006 13:45, Carlos E. R. wrote: ... Signing somebody else's key means that you have verified that he is ... really that person and that _that_ key belongs to him. ... Who one chooses to trust is up to that person. ...
    (SuSE)
  • Re: Looking For People To Sign My GPG Public Key
    ... "Trust Points" accumulated to authenticate other people, ... person who is signing your key or authenticating your application. ... spec and issue differing levels of signatures for people I know well ...
    (Fedora)
  • Re: Secrecy and user trust
    ... some form of official documentation (drivers licenses AND passports ... are crucial elements of GPG signing events... ... baseline for trust. ... whom I traded signatures with. ...
    (Fedora)