[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Photo ID is not needed for key signings....




At 6:47 PM -0700 6/12/97, Tim May wrote:
>At 8:31 AM -0700 6/12/97, Bill Frantz wrote:
>>IMHO - What you are really signing is the binding between the data
>>associated with the key (usually an email address) and the key.  You are
>>saying that the secret key holder is (one of the) person(s) who has access
>>to that account, and not some man in the middle in the middle.  If you ask
>>to see Lucky Green's, or Futplex's, or Black Unicorn's picture ID, you will
>>either see a forgery or an ID issued by an organization not interested in
>>birth certificates.
>
>My binding was between the key, and "me." Those who wanted to send messages
>to "me" could assume that only "I" could read it. The address
>"[email protected]" vs. "[email protected]" is not central. Any concern that
>"[email protected]" is somehow not the keyholder of that '92 key is a nonissue.

My answer was a pure SPKI answer.  As a first approximation, in SPKI your
identity is your key.  Meatspace doesn't enter into it at all.  This avoids
the naming problem of meatspace (i.e. Which John Smith).

Much of the problem with PGP key signing is there is no complete agreement
on what it means.  I chose to have it mean that there verification of the
binding between the data associated with the key and the key.

If you have a version of the key with no signatures, then you can change
the data field and re-sign with the associated secret key.  Since the data
field has changed, you properly need to have others re-verify the validity
of the binding.


-------------------------------------------------------------------------
Bill Frantz       | The Internet was designed  | Periwinkle -- Consulting
(408)356-8506     | to protect the free world  | 16345 Englewood Ave.
[email protected] | from hostile governments.  | Los Gatos, CA 95032, USA