signing a robot's key - was: Re: Global Directory signatures

Atom 'Smasher' atom at
Thu Dec 30 22:57:36 CET 2004

Hash: SHA256

On Thu, 30 Dec 2004, Jeff Fisher wrote:

> It's signing keys left and right, which started this whole discussion. 
> Is there any doubt that this particular key is anything but what it 
> purportes to be?  If so, where are the real signatures from the real key 
> that is supposed to be fullfilling this role?
> For most of us, we're assuming that there is not an adversary with 
> infinite resources out to get us.  If there were, I would not trust any 
> signatures except my own, or those of personally trusted associates. 
> (And probably not gnupg itself or this computer, but there it is...)

i (or anyone) can generate a key that's identified as "PGP Global 
Directory Verification Key" and sign any number of keys with it. one can 
even get a list of keys that have exchanged signatures with the real key 
and sign all of them. that doesn't make it the real thing, but it sure 
would cause a lot of confusion.

if i sign your key, and you sign bob's key, that doesn't mean that i 
should go and sign bob's key (unless i first verify it with bob). sure, i 
can trace a path from me to bob, but that's very different than signing 
bob's key because of that path.

signing a key is a statement that one has checked and verified that the 
key really belongs to the person or group identified by the key. unless 
that verification is actually done, the only statement being made is that 
someone is issuing bad signatures.

- -- 

  PGP key -
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

 	"Politics is the art of preventing people from taking part
 	 in affairs which properly concern them."
 		-- Paul Valery

Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?


More information about the Gnupg-users mailing list