Re: [Fsuk-manchester] Keysigning (was: SFD09 – The final call for volunteers)

[Robert Burrell Donkin]

On Sun, Sep 20, 2009 at 1:26 PM, Simon Ward <address@hidden> wrote:
> On Fri, Sep 18, 2009 at 02:44:02PM +0100, Dave Page wrote:
>> See, signing keys using passports is IMHO a bad idea, which is why it's worth
>> having a discussion about keysigning, what it involves and what you're trying
>> to achieve with it. I won't (indeed, can't) take part in a keysigning that
>> requires passports.
>
> Verifying identity using *only* passports is probably a bad idea, but
> it’s not black and white.  With the passport, you essentially have a
> third party that you presume (or not) has done some verification that
> you may or may not trust to some extent.  It’s up o you to make that
> decision.

identity is a deep problem

possession of state issued photo ID is at least a clear test. yes,
passports can be forged or issued in error but it's relatively hard
(at least in the UK these days) to find independent channels. british
photo ID opens up employment, bank accounts, the NHS and so on. it is
now a single point of failure.

a passport is relatively hard to forge but once it has been, it is
hard to think of independent channels that cannot be easily forged
once in possession of that document.

> It would be convenient if everybody had the same standards as you for
> verifying identity, but they don’t, and that’s part of the beauty of
> the OpenPGP web of trust.  You can decide how much you trust someone
> to correctly verify identity and sign keys.  Again, it’s up to you to
> make that decision.

one of the problems with modelling trust is that meta-judgements are
just too hard to make so this only really works for one hop

- robert