signing a robot's key - was: Re: Global Directory signatures

David Shaw dshaw at
Thu Dec 30 22:00:32 CET 2004

On Thu, Dec 30, 2004 at 02:43:03PM -0600, Kyle Hasselbacher wrote:
> | On Thu, 30 Dec 2004, Kyle Hasselbacher wrote:
> |
> |>> I signed it because I wrote it and run it.
> | that's a good reason. should i look for a 0x13 sig from the GD key to
> | you? i can't find that you and the GD key have exchanged signatures.
> No, sorry, I was talking about the Robot CA key (C521097E).  It and I have
> certainly exchanged signatures.  I'm on the GD, so I have its signature (if
> you ask the GD for it), but I haven't signed the GD key.  If I ever do, it
> will be to certify that it is what it says it is (a dumb key signer).  Like
> my other signatures, that's not an endorsement of its key signing policy,
> just certification of identity.

Ideally, signing a key should never be affected by a key signing
policy, though since this is the real world, it certainly is a factor.

Still, how would you go about checking the identity of a key that
identifies itself only as "PGP Global Directory Verification Key" ?  I
can certainly understand that you signed the Robot CA key, but signing
the GD key seems to be a leap of faith rather than actual hard


More information about the Gnupg-users mailing list