Ah, I get it now. Key signing is one way of certifying identity. Identity *may* be a contributing factor in trust, but establishing a "Web of trust" is not the primary objective of the key signing parties.
Thanks, Adrian On Tue, Aug 13, 2013 at 4:56 PM, Ben Finney < [email protected]> wrote: > Adrian Colomitchi <[email protected]> > writes: > > > My question: why is there a need for any other ID that's different > > from the public key? > > The entire purpose of a keysigning party is to gather *independent > verification* that the key ID is correctly associated with that person. > > This is why we ask for identifiers that are independent of the web of > trust, and why we require the person to assert in our presence that the > key is theirs, and why we prefer identifiers that tend to be easily > verified and issued by well-known bodies to individual persons by a > verifiable process. > > It is also why no-one needs to sign any key in the presence of anyone > else. It's entirely up to the signer whether they are satisfied with the > key-holder's identity, and they can wait until after the party to sign > or not. > > > I.e.: the "sufficient certification" should actually be "We, the > > signers of this public key, certifies this public key belongs to a > > person we trust"? > > A keysigning party is designed to make it easier for people who may not > have sufficient people in close proximity who trust merely their word, > to meet many people at the same time and make worthwhile their efforts > to present verification of identity. > > > (and, of course, refuse to sign a key for any person they don't actually > > trust, no matter the govt issued ID-es or anything else). > > You don't have to trust a person in order to sign their key. You are not > asserting trust; that's entirely your business, and you never need to > disclose it. > > Rather, your signature on a key says *only* that you have verified the > person's identity and the person tells you this key is controlled by > them. > > > Why would one need to ask something in addition (impose extra > > requirements that don't add much to the "trust relationship"?) > > Key signatures are about asserting identity, not about trust. Trust > depends on reliable identity, but is not the same thing. > > GnuPG maintains an entirely separate database for trust (specifically, > your level of trust that the key-holder can competently manage their key > and signatures) – and it is entirely private to you. > > -- > \ “It's dangerous to be right when the government is wrong.” | > `\ —Francois Marie Arouet Voltaire | > _o__) | > Ben Finney > > _______________________________________________ > Free-software-melb mailing list > [email protected] > > http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-melb > > > Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/ > _______________________________________________ Free-software-melb mailing list [email protected] http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-melb Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
