[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ESD-translators] Slides for workshop in Prague
From: |
Ineiev |
Subject: |
Re: [ESD-translators] Slides for workshop in Prague |
Date: |
Fri, 30 Mar 2018 15:50:46 -0400 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi, Tomas;
On Fri, Mar 30, 2018 at 12:23:32PM +0200, Tomas Stary wrote:
>
> I also wonder, how thoroughly should we check the identity when signing
> the keys of others. Is the check of the ID really necessary?
Debian guidelines say it isn't exactly necessary, what's necessary
is t make sure that the person has given identity. you aren't likely
to need any ID to sign the key of your uncle, but when you meet
a person for the first (and probably the last) time, the most
obvious way is checking their IDs.
Still it isn't a trivial question why a confirmation of person's
name is wanted at all.
> The reason
> why I think of that is that some people might use pseudonym rather than
> their official name.
The methods for checking pseudonyms are not so established
as for checking IDs, so it is going to be harder to have people
sign your pseudonyms (note that your certificate may have multiple
names, and my experience shows that many people check one name and
then sign _all_ user IDs).
> Also, there might be more people with the same
> official name and then some of them might create certificate to
> impersonate one another (for the email address they don't own).
By the way, a user ID may have no email address. perhaps you can
distinguish different homonyms using the fingerprints of their
certificates.
> I think
> the alternative could be to verify if they have an access to the email
> address they claim the certificate for.
Checking email control is a mandatory step in many workflows.
you just send the signed key in an encrypted message to that
email address, so basically they can't use your signature on their
key unless they control that address. if there are multiple addresses,
it's more complicated: you sign them one by one, each time sending
to the respective email address and removing and re-importing
the original (unsigned) key in your keyring in order to get
a separately signed certificate for every email address.
signature.asc
Description: Digital signature