pocallaghan at gmail.com
Wed May 28 19:26:19 UTC 2008
On Wed, 2008-05-28 at 17:49 +0100, Anne Wilson wrote:
> On Wednesday 28 May 2008 17:11:07 Mikkel L. Ellertson wrote:
> > Tim wrote:
> > > Patrick O'Callaghan:
> > >>> gpg --sign-key <name>
> > >
> > > Bill Crawford:
> > >> --lsign-key, please, unless you have met the person and seen their
> > >> passport.
> > >
> > > A good idea, but could you tell a forged passport apart from a real one?
> > > I'm sure that I couldn't. Likewise for other forms of ID, I couldn't
> > > tell a real one from a good fake, and I'd have no way to verify a real
> > > ID.
> > >
> > > Though I seriously doubt that most of use would be using gpg in a way
> > > that required such a level of personal identify assurance.
> > I started signing my email to the lists when a couple of messages
> > hit a list with my email address that were not from me. This way, a
> > forged message stands out because of the lack of signature, or a
> > because it is signed by a different key.
> For me, it was when someone accused me of sending a virused email, again on a
> forged message.
Anne, your signature on a message guarantees that you sent it (actually
all it does is guarantee that it was sent by someone with access to your
private key, but anyway), however the absence of your signature doesn't
guarantee that you didn't send it. Your protestations that you always
sign your mail have the same weight as saying you don't send viruses, so
I don't see the gain in this specific example.
> It is important, though, to maintain the web-of-trust. It does have legal
> implications, and that's why local signing is an option.
IANAL etc. etc. but what is your basis for saying it has legal
implications? Some PKI systems may indeed have them, but GPG is not a
More information about the users