signing a robot's key - was: Re: Global Directory signatures
David Shaw
dshaw at jabberwocky.com
Thu Dec 30 22:00:32 CET 2004
On Thu, Dec 30, 2004 at 02:43:03PM -0600, Kyle Hasselbacher wrote:
> | On Thu, 30 Dec 2004, Kyle Hasselbacher wrote:
> |
> |>> I signed it because I wrote it and run it.
>
> | that's a good reason. should i look for a 0x13 sig from the GD key to
> | you? i can't find that you and the GD key have exchanged signatures.
>
> No, sorry, I was talking about the Robot CA key (C521097E). It and I have
> certainly exchanged signatures. I'm on the GD, so I have its signature (if
> you ask the GD for it), but I haven't signed the GD key. If I ever do, it
> will be to certify that it is what it says it is (a dumb key signer). Like
> my other signatures, that's not an endorsement of its key signing policy,
> just certification of identity.
Ideally, signing a key should never be affected by a key signing
policy, though since this is the real world, it certainly is a factor.
Still, how would you go about checking the identity of a key that
identifies itself only as "PGP Global Directory Verification Key" ? I
can certainly understand that you signed the Robot CA key, but signing
the GD key seems to be a leap of faith rather than actual hard
knowledge.
David
More information about the Gnupg-users
mailing list