trust your corporation for keyowner identification?

[Leo Gaspard]

On Thu, Nov 07, 2013 at 11:48:07AM +0100, Peter Lebbing wrote:
> On 06/11/13 23:28, Leo Gaspard wrote:
> > But mostly because signing is an attestion of your belief someone is who 
> > (s)he is. Thus, if you believe someone is who the UID states (s)he is as
> > much as if you met him/her in person and followed the whole verification
> > process, I would not mind your exporting signatures of the key.
> 
> I get the feeling you're partly responding to my adamant statements earlier, but
> you're confusing the situation I was responding to.

Well... The answer to your previous message was in my first two paragraphs. The
rest of my answer, to which you answered, was mostly thinking over some debate
that aroused earlier, and whose authors I do not remember. Anyway, I think you
answered the most important part of my last message.

> I think you're saying: Person X tells me their key is K1. I blindly trust person
> X, and I know for a fact that person X was the one who told me K1 is his key.
> That is, you were in the same room, or you recognised their voice on the
> telephone, or something similar. This is acceptable to many people as a
> verification.
> 
> But this is not the situation I was talking about. It's this:
> 
> Person X (having key K1) has signed key K2, asserting that it is held by Y.
> Since you blindly trust X, you can assign him full (or hell, ultimate if you
> prefer) ownertrust, and key K2 is valid for you. You don't need to sign K2
> anymore, because it is already valid since you expressed your trust to GnuPG,
> and GnuPG uses it to validate that it belongs to Y.
> 
> Now, what Stan Tobias appeared to want, is sign key K2 himself, probably to
> express to others in the Web of Trust that he believes K2 to be valid. But this
> doesn't add any additional verification of key validity to the Web of Trust,
> it's noise. Because anyone else can look at the signature made by X, and decide:
> I trust X fully as well. They assign full trust to X, and K2 becomes valid.

Except they do not have to know X, nor that he makes perfectly reasonable
decisions in signing keys.

And I believe it's not noise. Let's make an example in the real world :
 * I would entrust X with my life
 * X would entrust Y with his life, without my knowing it
 * Thus, if I actually entrusted X with my life, why should I be frightened if X
   asked Y to take care of me ? Provided, of course, X told me he was letting Y
   take care of me. After all, I would entrust X with my life, so I should just
   agree to any act he believes is good for me.
(That's what I called blind trust. Somewhat more than full trust, I believe.)

> Let's get back to ownertrust: in the Web of Trust, ownertrust is an expression
> of how well you think other people verify identities before they sign a key. If
> you sign key K2 based on X's signature, you haven't verified Y's identity.
> You've probably verified X's identity, but not Y's. So you shouldn't sign K2.

So, is a signature a matter of belief in the validity of the key or of actual
work to verify the key ?

> You might believe Y when he or she walks up to you and says: my name is Y and K2
> is my key. But that is not what happened; X said: K2 is Y's key. Y didn't say
> anything to you, let alone that you verified it was actually Y talking. That's
> the absolutely necessary part of verification: you believe that it was actually
> Y that told you K2 is theirs. Just believing K2 is Y's key is not verification;
> it's key validity.
> 
> I'll give an example.
> 
> In the Web of Trust, key validity is a thing that can gradually build up until
> it passes a certain point where we say: I have so much proof that it appears to
> be valid, that I conclude it's, within reason, valid. This is why you have
> "completes needed", "marginals needed", and "max cert depth". The latter says:
> once we pass a certain depth, my proof of identity becomes so indirect I don't
> wish to trust that information anymore. I will paint a picture with the default
> settings, completes 1, marginals 3, max depth 5.

If I understood correctly, the depth parameter you are talking about is useless,
except in case there are trust signature. And you agreed with me for them to be
taken out of the equation.

> Suppose A has signed B. There are three people C, D and E, who have full trust
> in A. They do what I'm arguing against: they sign key B as well, based on their
> trust of A.
> 
> Now I come along. I actually have key A valid as well, but quite indirectly: it
> is at level 4. I know A, but ownertrust is very personal. I think A does an okay
> job of verifying identities, but not to the rigorous level I personally demand.
> I work with pretty sensitive stuff, and my standards are high (I'm painting a
> picture here, not describing reality). So I assign him marginal ownertrust. Now
> what I would expect, is that I need some more signatures, and B will become
> valid at level 5, the level where I have configured GnuPG to say: okay, this is
> deep enough, I will not take into account B's signatures on other keys because
> the proof becomes too indirect.
> 
> However, I also know C, D and E, signed their keys and assigned them marginal
> ownertrust because I was under the impression they also verify identities pretty
> well. I don't know that they go around signing keys based on other people's
> signatures.

If you do not know their key signing policy, and assign them any ownertrust,
then are you working with such sensitive stuff ?

At least, a key signing policy such as mine would be clear enough : I sign a key
when I believe it is valid as much as if I had met its owner in person.

> C, D and E are thus at level 1 in my web. They all signed B's key, so I think:
> that's reasonable proof that B is valid. Not only do I think that, so does
> GnuPG. It leads to B's key being valid at level 2. B can have another few levels
> of indirection before I consider the path too long. In fact, for signature paths
> through B, it effectively just changed my "max cert depth". B belongs at level
> 5, because the proof of validity is very indirect in my *own* web, but he's at
> level 2, so my "max cert depth" has effectively become 8 instead of 5 for paths
> through B.

Which is, as pointed above about trust signatures, quite irrelevant. (sorry for
being so blunt, I found no other wording)

> Furthermore, what does my Web of Trust seem to imply? It implies that 3
> reasonably trustworthy people all individually certified B's identity. That's a
> fair amount of proof that the identity is correct. More eyes have seen the
> passport or more people have known B for very long.
> 
> What is actually the case? This one person, A, whom I somewhat trust, has
> certified B's identity. It's almost as if I'd set my "marginals needed" to 1,
> because no more verification has ever been done of B's identity.

Wrong. More verification has been done for B's identity than you would have
thought. Because you believe A is marginally reliable, while your web of trust
believes A is fully reliable : C, D and E did enough work to check A is
trustworthy, which apparently you did not do.

If you believe they were wrong in this checking of A's trustworthiness, just
don't assign them ownertrust. Sure, this would weaken the WoT, but as you
conflict on whether A is trustworthy, why would you not conflict on whether B is
who (s)he is ?

> This is why I am adamant that you should not sign based on other people's
> certifications. You are muddling my view, and I think I'm basing validity on one
> thing whereas I'm accidentally basing it on something else. I have keys on my
> ring that are valid, even though they did not pass my personal demands of
> verification.

In fact, they did. Because you assigned ownertrust to C, D, and E, which you
should not have done.

BTW, if I understood the WoT correctly, if C, D and E trust-signed A with full
ownertrust (after all, you're talking about max depth, so why not?), then your
WoT would have validated B any way, as you marginally trusted C, D and E.

> Lying was also brought into the discussion, as if that changes things. We are
> talking about trust here; I'm making a mistake when I assign ownertrust to a
> liar, but that in no way implies that it's okay to sign keys without verification.

We do totally agree.

> When I find out people lie about their verifications, I set those people to "I
> do NOT trust". When I find out people sign keys they haven't verified, I set
> those people to "I do NOT trust".

So, finally your meaning of signatures is no longer about key validity, but
rather about key verification ?

I still do not sort this out, sorry.

BTW, I do not know anyone I would trust enough to assign full ownertrust, let
alone re-signing keys signed by (s)he.

> The rest of your message about how you check an identity is a different topic
> altogether. But let me say this: when I sign an UID, I primarily sign the name.
> I prefer there's no comment, so I don't have to think about that, and ownership
> of an e-mail address is an interesting topic. Who owns l.gaspard at yourisp.com?
> You or your ISP? Both? Neither? If you wish to debate about how you check an
> identity, please create a separate thread, because it is a different topic.

I did not mean to raise a topic on identity check, only to raise the issue that,
in fact, you are already relying on a single assertion for UID assessment,
whether it is the government or whatever.

However, if the government started to sign keys, would you assign it full
ownertrust ? I think that, due to NSA scandals, most would not. But they would
just be fooled into thinking they are out of the reach of the government, as
most identity checks would be based on government assertion. But you would
expect people to continue checking information based on passports, right ? So
you would implicitly condone this re-signing the key.

Now, change the word "government" with the word "person A", and you are back
with your example.


Cheers,

Leo