signing a robot's key - was: Re: Global Directory signatures

David Shaw dshaw at jabberwocky.com
Thu Dec 30 21:41:07 CET 2004


On Thu, Dec 30, 2004 at 12:17:54AM -0500, Atom 'Smasher' wrote:

[people signing the GD key]

> why on earth would anyone sign this key? the UID identifies the key
> as belonging to "PGP Global Directory Verification Key"... can
> anyone prove ownership of that key? has the owner of that key been
> going to key signing parties all over the world?
> 
> the key has >250 signatures ranging from 0x10 - 0x13! can anyone
> explain to me why they signed this key, and how they verified that
> the key *really* is the "PGP Global Directory Verification Key"?

I'd estimate that around 5 of those signatures are genuine and the
majority of the rest are either completely or partially accidental.
Some people probably meant to locally sign, and some people just
didn't have any idea what they were doing.  I'm sure some people did
it intentionally with full understanding of what they were doing, but
I suspect they are in the minority.

It's a amusing example of how well people verify keys before the sign
them.  I have a (much fewer) number of similar unchecked signatures on
my own key.  My key comes with the GnuPG distribution, so I think
people use it for testing sometimes.

> unless someone can explain to me why they had a good reason for
> signing this key i'm tempted to include everyone who signed it in my
> "untrusted signers" list. signing a robot's key seems to violate
> every good practice of responsible keysigning.

Unless you are or know the robot's keeper.

It's an interesting keysigning question, actually.  Not just for
robots, but for any key that doesn't directly correspond to a single
human being (robots, nym keys, role accounts, etc).

David



More information about the Gnupg-users mailing list