[ale] PGP / GPG key 0x450F89EC <pause at pause.perl.org>

David Tomaschik david at systemoverlord.com
Wed Nov 30 10:52:39 EST 2011 

On Wed, Nov 30, 2011 at 10:24 AM, Michael H. Warfield <mhw at wittsend.com> wrote:
> Sorry for hitting the whole list with this but I haven't gotten a
> response back from the E-Mail address in question.  I only sent the
> query out early yesterday afternoon so that's not wholly surprising.
>
> What appears to be a "role key" was submitted to the ALE Keysigning
> Party.  Role keys are normally fine but the rules tend to be a little
> different for verification, if the owner of that key wants them signed.
> Usually, some proof of ownership (such as corporate papers for corporate
> keys) or proof of authority is usually required.  As one poster
> mentioned, they only sign such keys with pseudonyms if they have a real
> uid included on the key.  I'll have to think about that criterion, since
> you can always edit a key to remove a uid (subject to my comments in
> another message) I'm not totally sure I would trust that, but maybe.
>

FWIW, if the key is already on the keyserver, deleting a UID is no
good.  All you can do is revoke the UID.  While I don't object to
pseudonymous keys, I will not trust them in my keyring, and will only
sign them as "I have not checked at all."  GnuPG asks what level of
checking you have done when you sign a key with the following options:

0.    I will not answer. (default)
1.    I have not checked at all.
2.    I have done casual checking.
3.    I have done very careful checking.

I normally select "2" for signatures from a keysigning event.  I will
sign with "very careful" checking for people whom I know personally or
individuals who have provided 2 or more reasonable forms of
identification.

I *will not* under any circumstances sign UIDs that I feel are
intentionally misleading.  If Jim Kinney brings me a key with both his
UID and a UID with the name "Mike Warfield" on it, I will not sign
that key.

I have also adopted Jeremy's practice of encrypting the signed key and
sending it to (in my case) the first email address on the key.  If I
have concerns about a particular email address, I might instead choose
that one.

-- 
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com

More information about the Ale mailing list