signing a robot's key - was: Re: Global Directory signatures
atom at suspicious.org
Thu Dec 30 22:57:36 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 30 Dec 2004, Jeff Fisher wrote:
> It's signing keys left and right, which started this whole discussion.
> Is there any doubt that this particular key is anything but what it
> purportes to be? If so, where are the real signatures from the real key
> that is supposed to be fullfilling this role?
> For most of us, we're assuming that there is not an adversary with
> infinite resources out to get us. If there were, I would not trust any
> signatures except my own, or those of personally trusted associates.
> (And probably not gnupg itself or this computer, but there it is...)
i (or anyone) can generate a key that's identified as "PGP Global
Directory Verification Key" and sign any number of keys with it. one can
even get a list of keys that have exchanged signatures with the real key
and sign all of them. that doesn't make it the real thing, but it sure
would cause a lot of confusion.
if i sign your key, and you sign bob's key, that doesn't mean that i
should go and sign bob's key (unless i first verify it with bob). sure, i
can trace a path from me to bob, but that's very different than signing
bob's key because of that path.
signing a key is a statement that one has checked and verified that the
key really belongs to the person or group identified by the key. unless
that verification is actually done, the only statement being made is that
someone is issuing bad signatures.
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
"Politics is the art of preventing people from taking part
in affairs which properly concern them."
-- Paul Valery
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
-----END PGP SIGNATURE-----
More information about the Gnupg-users