rullzer

Yesterday evening, at a friend birthdayparty, I had an interesting discussion with some people about GPG keysinging (you know the usual birthday-talk-stuff). And the main questions was `why do we do “official” ID verification for the web of trust?` A GPG key contains too little information to make chekking against a government ID usefull. There are many many people with the same name so the only thing you actually verify is the name on this ID matches the name of the identities that I am signing, but that is not really what you are interested in for the web of trust. Since can’t I be part of the web of trust if I have a nickname listed as my identity? Or what if the name of the identity is Joe but the name of the ID is Joseph? The thing we really want to establish in the web of trust is to know that the key that you sign actually belongs to the person that claims that it is his key.

The solution

The solution we came up with is actually very simple and already possible with GPG anyway. You attach a photo to your public key! This ways if you (in person) claim that the key belongs to you (you say the fingerprint is correct or whatever) the person that wants to sign your key can check (live) to see if the photo attached to the key is really you. Of course this will require yout to update the photo every once in a while. And well since you only have your private key (or at least I hope that is the case) you are the only person that can add (or replace) the photo in your key.

A nice side effect is that you don’t have to show your ID to a lot of people (which could be a problem to some).

Remarks

I can’t really think of any reason (right now) why this would be less secure than checkking an official ID. But maybe someone can?