johnsu01 (johnsu01) wrote,

GPG keysigning and government identification

Please stop recommending that checking government-issued ID is a good way to verify someone's identity before signing their GPG key.

Have you been a US bartender before? Or held any other position where you've had to verify an ID? It's not an easy thing to do. People in those positions have books of valid IDs from different states. They have lights that show the security marks. They still get it wrong regularly. A very amateur fake ID, or borrowed real ID, will fool just about everyone in any informal context.

What's even worse is that people have a habit of happily looking at passports from other countries than their own, and nodding knowingly. It's fun, but be honest, you have no idea what you're doing.

How about just signing keys with people you would actually say you know well enough to trust? It's not the Web of Amateur ID Checking.

ID checking is at best ineffective against the threats it's supposed to address, and is probably actually damaging to the Web of Trust because of the false sense of security.

No idea what I'm talking about? Learn to encrypt your email by reading the FSF's new Email Self-Defense Guide, published in honor of today's Reset The Net effort.

Tags: encryption, free software, gpg, security, surveillance
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.


June 5 2014, 08:14:28 UTC 5 years ago

Unfortunately, Debian promotes this practice by insisting that each Debian Developer candidate have his key signed by multiple existing DDs, a requirement which could hardly be met if people only signed the keys of people they "really knew".
Sure. I'm contesting it as a recommendation where it is usually presented as both necessary and sufficient for verification, and especially as used in mass keysignings. There are some edge cases like Debian enrollment where maybe it should be part of a check you do since you are forced (as long as that requirement exists) to verify someone you maybe can't actually verify very well.


June 5 2014, 23:32:50 UTC 5 years ago

Last year I met someone who insisted that he wanted to see my ID, and show his, in order to sign my key.
I told him: look, I won't show you my ID, because I care for my privacy, and the government of my country does not know anything about who I am in reality, as a living person. I don't want to see yours either, because it could be a fake, and I have no mean to verify it. What I know, and what I sign, is that you are the person who knows how to decipher stuff encrypted to that key. Period.