I had an interesting discussion yesterday at work, that I would like to share here. It was in regards to when the proper time presents itself to show identification versus identifying them on the outset. As you can probably imagine, this was the subject of GnuPG key signing. So, let’s start first with a couple definitions:
Identity: the state or fact of remaining the same one or ones, as under varying aspects or conditions.
Identification: an act or instance of identifying; the state of being identified.
You see, your identity is who you are, while your identification verifies your identity. This is an important realization that many of us in the tech-world don’t seem to grasp when wishing to sign GnuPG keys of others.
Public key cryptography is a wonderful technology. It gives us the ability to create a system in which encrypting and decrypting files can be done with the compromising integrity of the encryption. GnuPG is a decentralized system that enables end users, such as you and I, to create a web of trust, bypassing certificate authorities. This is done by using your own private GPG key to sign the public key of another. The more signatures on that key, the more that key can be trusted. If those who have signed your key have a great deal of signatures also, then a web of trust is created, and trust strengthens. The deeper those signature levels can do, as well as the wider they can spread, on a single key, the more you can trust the person owning that key.
It has been a long-standing acceptance that when you wish to sign another’s public key, that you check a government issued form of identification, such as a drivers license or passport, so you can verify with their picture that they are who they claim to be. I have no objections with this. However, I would have also asked my own mother for her identification before signing her public key. Thanks to my coworkers, I’ve changed my view on asking for identification, and the change stems from a simple sentence:
All you kneed to verify is their identity, not their identification.
In other words, you are there to verify that they are who they claim to be, or their identity. What if it’s your mother? Cerntainly, you already believe her claim to be your mother. What about your wife? Will you put 10 years of marriage and trust second to checking her government issued form of identification? What about coworkers? Hopefully, your company has done the necessary identity checks, including possibly a background check, on the employee. Is checking his identification really needed? Especially if you have worked with him for a great deal of time?
Let’s look at the process of key signing, then the reason behind it. GPG key signing is a 3 fold process:
- Verify that you have the proper key installed in your public keyring by asking them for the fingerprint of their key
- Verify they are who they claim to be by verifying their identity
- Sign their public key
Notice, that no where did I mention a government form of ID. Instead, I said to verify their identity. If it’s my wife, she’s already been identified. If it’s my coworker or boss, they too have already been identified. If it’s a close friend or relative, again, they have clearly identified themselves to me without a government ID. However, if I am not familiar enough with the person to establish a trusting relationship, then checking for their identification would be appropriate. Maybe I’m at a keysigning party, and I have never met any of the people there. Maybe I’ve done online conversations with the individual, but have never met him face-to-face. Asking for identification would be important. But if it’s a close friend, or acquaintance, asking for identification could be insulting to the established relationship, as trust should already be present. Verifying their identity is already accomplished. All I need to do is make sure I have the proper key installed by asking for the fingerprint of his key, then I can sign away.
See the difference? Asking for identification when trust has already been established is redundant, and unnecessary. The whole point of key signing is to establish trust. If trust exists, then asking for identification is not needed. What do you want to know from the ID? That they can drive? That they can leave the country and come back in? This breaks the traditional stance of keysigning, where regardless of the individual, you ask for identification. Well, long-standing traditions should be questioned for validity. Doing something, “because that’s how we’ve always done it”, isn’t necessarily correct.
I know some who will not sign a key without verifying identification, even if they have a long standing relationship with you already. I used to be one of these individuals. You want your key signed? Show me some ID. Now, after the brief, but intense, discussion yesterday, I’ve changed my position. Key signing is about building trust. If you trust the person already, what’s the point of asking for ID? If you don’t, your reasons for verifying the identity of the individual are warranted.