-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-11-06 at 07:27 -0500, ken wrote:
On 11/05/2006 10:35 PM somebody named Carlos E. R. wrote:
Also, I don't even sign locally keys for which I don't have some kind of verification, even if marginal, because key checking will not tell me the diference when reading an email. But that is a personal choice.
Carlos,
I very much appreciate the rigorous care you take when signing others' keys. I also find the documentation on this aspect of key signing rather abstract. So to wax phenomenological, I would see a case for locally signing your (actual) key and would advocate for at least one descriptive category of signature.
Because you have been posting here for quite awhile with a consistent key, I can be sure that emails sent to me with this key are from the same person (unless someone else gets your passphrase or hacks your private key... but in that case all bets are off anyway).
Right.
If you change to a new email account and want to prove to me that you are the same person, all you have to do is send me an email using your current key.
Actually, you can add the new identity to the old key, updload it again to a key server, and continue using the same key. The same key can have several ids.
I might not know with any certainty that your name really is Carlos or anything else about you, but I do know that you are the same person I have been receiving emails from, even if you send me an email with a different name and different email address.
Yes.
Conversely, if someone else, say a guy named Scooter, gets control of your email address (or spoofs it) and, further, uses the name Carlos E. R., Scooter could fool a lot of people into thinking he was you... unless people had already imported your key and questioned the fact that he was not using the key for Carlos E. R. Going on the assumption that Scooter was not in possession of your private key, he could not prove (to me, at least) that he was you.
But he might fool you by creating a new key pair and using it. You would download that key, and the keys would be correct. You might not notice that the keys used by me and the impersonator were different unless you checked.
Conversely again, you could change your email address and even change your name-- to, say, Jorge-- and if you used the same key you are using now, people who had already imported your key would know that Jorge and Carlos were the same person. Moreover, were I to (non-locally) sign and upload your key, other people would/should trust that Jorge and Carlos E. R. are one and the same person.
Yes.
Now the terms "local" and "non-local" (global?) don't describe very well this usage. Nor do the given "levels of trust". Given the above purposes, there's no question as to *how much* I trust the signature, but rather *what* I trust. The local-global dichotomy doesn't address this manner of trusting, what I would refer to as "personal" or "identical" trusting. That is, I don't know your date of birth, street address, phone number, or even if Carlos E. R. is your true name, but I don't care about those. (Except for your date of birth, all these details about you could be legally changed anyway.) The only trust issue here is personal (and I'm using "person" here in its original, most fundamental sense, from the Latin "per-sonare", to sound through (a mask), what an actor in a drama did/does), one of the identity of the one who may wear different "masks". To trust any communication where the identity of the person we are communicating with is critical, this manner of trusting is critical, regardless of whether we call it global or local.
Right again. Local signing is just a safeguard, so that I don't upload them accidentally and others import it. Each person might use it for different purposes, but the idea is to only sign globally or publicly when we can certify the identity of that person somewhat. That's how I understand it, at least. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFT74LtTMYHG2NR9URAuqVAJ9BRAH6y4E6DDDabzZnl8WcdomyggCgkjoq rLwGwouK90gj/yt8oLhsUro= =OBT2 -----END PGP SIGNATURE-----