-----BEGIN PGP SIGNED MESSAGE----- In <v0300786dafc68637a08c@[207.94.249.152]>, on 06/12/97 at 10:14 PM, Bill Frantz <frantz@netcom.com> said:
At 6:47 PM -0700 6/12/97, Tim May wrote:
At 8:31 AM -0700 6/12/97, Bill Frantz wrote:
IMHO - What you are really signing is the binding between the data associated with the key (usually an email address) and the key. You are saying that the secret key holder is (one of the) person(s) who has access to that account, and not some man in the middle in the middle. If you ask to see Lucky Green's, or Futplex's, or Black Unicorn's picture ID, you will either see a forgery or an ID issued by an organization not interested in birth certificates.
My binding was between the key, and "me." Those who wanted to send messages to "me" could assume that only "I" could read it. The address "tcmay@netcom.com" vs. "tcmay@got.net" is not central. Any concern that "tcmay@got.net" is somehow not the keyholder of that '92 key is a nonissue.
My answer was a pure SPKI answer. As a first approximation, in SPKI your identity is your key. Meatspace doesn't enter into it at all. This avoids the naming problem of meatspace (i.e. Which John Smith).
Much of the problem with PGP key signing is there is no complete agreement on what it means. I chose to have it mean that there verification of the binding between the data associated with the key and the key.
If you have a version of the key with no signatures, then you can change the data field and re-sign with the associated secret key. Since the data field has changed, you properly need to have others re-verify the validity of the binding.
I don't think that any changes that he would make to his key would need re-verification provided that he signed those changes. Take the following scenario: John Doe creates a key and signs it: pub 2048/FFFFFFFF 01/01/90 John Doe sig John Doe (0xFFFFFFFF) Now 3 other people verify that the key does belong to John Doe and sign the key: pub 2048/FFFFFFFF 01/01/90 John Doe john.doe@anonymous.com sig John Doe (0xFFFFFFFF) sig Mary Jane (0xAAAAAAAA) sig Tom Thumb (0x11111111) sig Tiny Tim (0xCCCCCCCC) Now John adds an aka to his key and signs it. pub 2048/FFFFFFFF 01/01/90 John Doe john.doe@anonymous.com sig John Doe (0xFFFFFFFF) sig Mary Jane (0xAAAAAAAA) sig Tom Thumb (0x11111111) sig Tiny Tim (0xCCCCCCCC) aka John Doe john.doe@who-is-it.com sig John Doe (0xFFFFFFFF) Since John Doe is the only one who could sign the key with the new aka one can assume that the aka is as valid as the original userid. - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM6Debo9Co1n+aLhhAQEOHwP/X5d2qrBCLP/z/zFkf1XDcPJ/ztkwNQ2W qbFUo+S/ZY9vPCXezs6dCZZfSW3WrRnpmOXQjrSK9qcps6Eafhqs4G96v3bCCzVL /wjFV+SZigTMyGqBMv9yscYM8o2KnZSvv2ajsIJLbxgoeLAnNvWXIrB2ls21ydSe k/rXTVnwK/E= =wXYL -----END PGP SIGNATURE-----