Novel new use of PGP keysigning sessions

[Nicholas Bohm]

At 16:52 14/05/2001 +0100, Owen Lewis wrote:

[snip]

>In short, one serious organisation may well opt to accept a form of identity
>issued by another. In principle an electonic identification is in no way
>special in this respect. 

Do current standards (X.509) allow for an address (residential or business,
not IP) or other information to be included in certificates?  My impression
was that CAs don't certify this sort of thing (and disclaim all liability
to relying parties), which makes their ID hard to use if you are trying to
tie it to some other real world information (e.g. is the person to whom
this ID was issued the same as the one whose name appears in an entry in
the Land Registry relating to the house I want to buy?)

I don't find the CA approach that much better than the web-of trust, and
don't have much confidence in either of them outside very closely confined
limits.

This is less of a problem than it seems.  Most substantial real world
transactions are effected after negotiations and communications which serve
to establish trust and make spoofing difficult.  Not that much rests on
last minute verification of signatures outside the specialist world of
banking and its kin.  My bank already knows me:  I would expect it to
accept my PGP key as mine because I first wrote it a letter (which it
currently regards as an acceptably verifiable procedure) telling it the
ID/fingerprint, and not because some third party certified it.

Regards

Nicholas

Salkyns, Great Canfield,
Takeley, Bishop’s Stortford CM22 6SX, UK

Phone	01279 871272	(+44 1279 871272)
Fax	01279 870215	(+44 1279 870215)
Mobile	07715 419728 (+44 7715 419728)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF