signing a robot's key - was: Re: Global Directory signatures

David Shaw dshaw at jabberwocky.com
Thu Dec 30 21:57:44 CET 2004


On Thu, Dec 30, 2004 at 03:37:26PM -0500, Atom 'Smasher' wrote:
> On Thu, 30 Dec 2004, David Shaw wrote:
> 
> > On Thu, Dec 30, 2004 at 01:50:24PM -0600, Kyle Hasselbacher wrote:
> >
> >> In some cases, a user might have wanted to use it as a trusted 
> >> introducer.  To assign owner trust, it has to be valid.  To be valid, 
> >> they have to sign it.  Perhaps some of them knew that this is better 
> >> done with a local signature and fat fingered the signing, but it's a 
> >> little hard to believe someone understood the web of trust well enough 
> >> to want to sign but not well enough to know a local sig was better.
> >
> > Oh, I can believe that.  It's the "I need to sign this to make things 
> > work" thing.  Do beginners necessarily understand what signing entails? 
> > No.  Do they necessarily understand what the web of trust even is?  No. 
> > All they know is that the instructions say to sign the key, so they sign 
> > the key.
> =====================
> 
> is that the behavior of PGP(tm)? i once helped someone use PGP(tm) and in 
> the 30-60 seconds that i was using it, it seemed to require a signature 
> before it would recognize an imported key... i helped the user to make a 
> non-exportable signature, but i don't recall that being the default.

Both GnuPG and PGP do more or less the same thing here.  You can
import keys freely, but such keys will remain invalid until there is a
valid trust path to the key.  Invalid keys are usable, but you get
some variation of the "are you sure?" message before you can use the
key.

If there is no valid trust path to the key, and you want to make it
valid (say, if you want to trust signatures issued by it, as in the
case of the GD key), then you need to sign or locally sign the key
yourself.  PGP's "Sign" command actually defaults to local signing.
You need to make an explicit action (check a check box) to make it a
regular exportable signature.  Note that I'm speaking about PGP 8
here, though I seem to recall that PGP 7 was the same.

David



More information about the Gnupg-users mailing list