At 6:47 PM -0700 6/12/97, Tim May wrote:
At 8:31 AM -0700 6/12/97, Bill Frantz wrote:
IMHO - What you are really signing is the binding between the data associated with the key (usually an email address) and the key. You are saying that the secret key holder is (one of the) person(s) who has access to that account, and not some man in the middle in the middle. If you ask to see Lucky Green's, or Futplex's, or Black Unicorn's picture ID, you will either see a forgery or an ID issued by an organization not interested in birth certificates.
My binding was between the key, and "me." Those who wanted to send messages to "me" could assume that only "I" could read it. The address "tcmay@netcom.com" vs. "tcmay@got.net" is not central. Any concern that "tcmay@got.net" is somehow not the keyholder of that '92 key is a nonissue.
My answer was a pure SPKI answer. As a first approximation, in SPKI your identity is your key. Meatspace doesn't enter into it at all. This avoids the naming problem of meatspace (i.e. Which John Smith). Much of the problem with PGP key signing is there is no complete agreement on what it means. I chose to have it mean that there verification of the binding between the data associated with the key and the key. If you have a version of the key with no signatures, then you can change the data field and re-sign with the associated secret key. Since the data field has changed, you properly need to have others re-verify the validity of the binding. ------------------------------------------------------------------------- Bill Frantz | The Internet was designed | Periwinkle -- Consulting (408)356-8506 | to protect the free world | 16345 Englewood Ave. frantz@netcom.com | from hostile governments. | Los Gatos, CA 95032, USA