signing a robot's key - was: Re: Global Directory signatures

Kyle Hasselbacher kyle at toehold.com
Thu Dec 30 20:50:24 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Atom 'Smasher' wrote:

| why on earth would anyone sign this key? the UID identifies the key as
| belonging to "PGP Global Directory Verification Key"...

Some folks signed the Robot CA key (C521097E) to show that they believed that
it is what it says it is:  a gravel-dumb key verifier.

In some cases, a user might have wanted to use it as a trusted introducer.
To assign owner trust, it has to be valid.  To be valid, they have to sign
it.  Perhaps some of them knew that this is better done with a local
signature and fat fingered the signing, but it's a little hard to believe
someone understood the web of trust well enough to want to sign but not well
enough to know a local sig was better.

Some people may have seen it as a back door into the global strong set.  The
Robot CA is in the strong set, and it gives out signatures easily.  Give a
signature back, and you're in the strong set too.

I signed it because I wrote it and run it.

Are folks signing the Global Directory key for the same reasons?  I don't
know, but it's possible.

Kyle
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB1Fv/zS7R/flctWYRAvbrAKCQNEAmEyepjtgs/R/x9FA44GbXLACgpHS4
t1ClyCfBc32ueLaxWOTXGwI=
=g+iR
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list