On Wed, Apr 28, 1999 at 04:54:09AM -0700, Jonathan Walther wrote: > Speaking of which, Wichert, I've met you in person. Will you sign my key? > (the enclosed one, not the one currently on the debian public ring). If you > aren't sure this email is from me, the signatures of 5 other developers on > my key should convince you :> Never ask someone to sign your key based solely on what signatures are already on it, and never do so for someone else. The idea behind signatures on a key is that each of the people signing it has independently authenticated the physical person as corresponding to the key in question, using some kind of (usually government-issued) identification card. It does not matter what you use to establish the identity of the person whose key you are signing, as long as you're comfortable enough in its authenticity that you would, say, testify in court that you reasonably believe the person is who they claim themselves to be. If, once in a while, someone is taken in by a con artist presenting something like a forged driver's license, and signs an inauthentic PGP key, that does not do as much damage to the PGP system of trust as many people being careless about what they accept as valid identification in the first place. In the United States, for instance, it is usually not a crime to lie to someone about who you are, but it is a criminal act to possess falsified government-issued identification documents. The idea is that we want people to have to be breaking the law to subvert the PGP trust system in this manner. Please consider adding the above paragraphs to the PGP Key Signing HOWTO. (Unless someone on the list shows me how I'm wrong about this.) -- G. Branden Robinson | The greatest productive force is human Debian GNU/Linux | selfishness. branden@ecn.purdue.edu | -- Robert Heinlein cartoon.ecn.purdue.edu/~branden/ |
Attachment:
pgp_mNX00wWaq.pgp
Description: PGP signature