On Mon, Jul 16, 2012 at 04:29:29PM +0100, mick wrote:
On Mon, 16 Jul 2012 12:26:57 +0100 Richard Parsons richard.lee.parsons@gmail.com allegedly wrote:
I'm still pretty new to this, but understand that I'm meant to see government ID to confirm the identify of the person and also check that they can sign/decrypt with the key.
Up to you to decide what form of ID is "sufficient" for your purposes. Obviously a photo id (such as a passport or driving licence) issued by an authority both parties trust is preferable to something less rigorous, but bank cards or any such signature based id are also often acceptable. The point is, the policy ought to be established first and published so that later entrants to the party know what level of rigour is/was applied. In my view, there is little point in my insisting on you showing me your passport, if prior signings have been less rigourous.
I had thought that the idea was that a person should always have the same minimum standarding for signing. That way, if you trust me, and you trust my criteria for signing other keys, you can trust the keys that I have signed. For that purpose it seemed to me to be a good idea to set a minimum personal standard, irrespective of the standards used by others.
You also need to decide /why/ the key signing exchange is necessary. You don't actually /need/ a web of trust for secure exchange of emails (which is what I use GPG for).
Yes, if I've understood correctly, the main point of a web of trust is to be more sure that the public key is the right one. Anyone could create a public key for your email address, or for a very similar email address, and publish it. However, if I can see that several people I trust have signed your key, I can have more confidence that I've gotten the proper public key for you.
Thanks Richard