signing a robot's key - was: Re: Global Directory signatures

Jeff Fisher jeff+gnupg at jeffenstein.dyndns.org
Thu Dec 30 22:36:57 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, Dec 30, 2004 at 04:00:32PM -0500, David Shaw wrote:
>
> Still, how would you go about checking the identity of a key that
> identifies itself only as "PGP Global Directory Verification Key" ?  I
> can certainly understand that you signed the Robot CA key, but signing
> the GD key seems to be a leap of faith rather than actual hard
> knowledge.

It's signing keys left and right, which started this whole discussion.  Is
there any doubt that this particular key is anything but what it purportes to
be?  If so, where are the real signatures from the real key that is supposed
to be fullfilling this role?

For most of us, we're assuming that there is not an adversary with infinite
resources out to get us.  If there were, I would not trust any signatures
except my own, or those of personally trusted associates. (And probably not
gnupg itself or this computer, but there it is...)

- --
Me - jeff at jeffenstein.dyndns.org
-----BEGIN PGP SIGNATURE-----

iQIVAwUBQdR0+BwPMBUZyYf1AQj/3g/9Ed3TXxZnm51OGYyKECANrLlTJrdsNgjC
F+sj1kMYmYOjMNQouVmL9D+8pTpWcl7jfR/zqbYoxvzWT8iRdvHZuhOcnFXStU12
36poEJJRsjLBvWIAbihfFeay33DZfe3C0+TnWYEFABShxfec2XZt99UTVGJDeUiN
tWTelqBJmlOSq2enUmwa+9fLw6MUj38sX/V0EyPrMtmn523ZC/G2SIg80n+rngGN
JLlbb+yndGeHNAfNt1s2iLdQ7HSsw2hSqV1P1DYN5zNd7f0bKpcIDAIeMAJBjAha
VAKqSGOe/CeqxNNvtvGfxXpBTNPi0Glviem+Bpi3hmdOenLIRIKz+3dYF/n+J7sI
z80KmUTRF/E/nL8GOD6ERYUmmyueC31WAH/fyRzbiT3txfV0REV/SRUDZ6gdXBO9
O465KJdcXTucwPzeITzolkKOYDdPwMxy1IvYfhH0HzBaMCW8eodK9Z/cVm+jgOGA
dZoFP/zInCMbnEM46ZW4jT8pL9sMQkyqTlYQUQepxjzuMlCImn+6nN0ZRKuwkOnO
vDSzj7BK2ZX8EmAxwlsqQYcnPqm/5h8GFrBBUsTAzUmlXt4Dvx5EaYdhAlnIYXW/
AUck0gDL1m2JdTWwj8LL/Bs7D+BKkn77jdN0Lf4T3Fa44I/cuRw3Ho9FX+22R7Q+
onqJkp6D2V4=
=COhw
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list