On Mon, 16 Jul 2012 12:26:57 +0100 Richard Parsons richard.lee.parsons@gmail.com allegedly wrote:
I'm still pretty new to this, but understand that I'm meant to see government ID to confirm the identify of the person and also check that they can sign/decrypt with the key.
Up to you to decide what form of ID is "sufficient" for your purposes. Obviously a photo id (such as a passport or driving licence) issued by an authority both parties trust is preferable to something less rigorous, but bank cards or any such signature based id are also often acceptable. The point is, the policy ought to be established first and published so that later entrants to the party know what level of rigour is/was applied. In my view, there is little point in my insisting on you showing me your passport, if prior signings have been less rigourous.
You also need to decide /why/ the key signing exchange is necessary. You don't actually /need/ a web of trust for secure exchange of emails (which is what I use GPG for). I publish my public key both on keyservers and on my own blog. If someone wants/needs to send me secure email they can do so. If they then send me their public key I can do the same in reverse. It is up to me to assign the level of trust I place in that key. That trust level usually depends on how long (and in what context) I have known the owner.
Are you local to Norwich, in which case maybe we can meet at lunchtime one day if we're both in the city. If not, maybe I should make my way over to another ALUG meeting sometime. Isn't there one in Ipswich tonight? Do you go to those?
I don't go to any of the meetings. If you want to meet up sometime for an exchange, by all means suggest some dates. I can make a lunchtime in Norwich.
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------