signing a robot's key - was: Re: Global Directory signatures

David Shaw dshaw at
Fri Dec 31 04:17:12 CET 2004

On Thu, Dec 30, 2004 at 10:36:57PM +0100, Jeff Fisher wrote:
> On Thu, Dec 30, 2004 at 04:00:32PM -0500, David Shaw wrote:
> >
> > Still, how would you go about checking the identity of a key that
> > identifies itself only as "PGP Global Directory Verification Key" ?  I
> > can certainly understand that you signed the Robot CA key, but signing
> > the GD key seems to be a leap of faith rather than actual hard
> > knowledge.
> It's signing keys left and right, which started this whole
> discussion.  Is there any doubt that this particular key is anything
> but what it purportes to be?  If so, where are the real signatures
> from the real key that is supposed to be fullfilling this role?

There is a difference between believing something personally, and
making a public statement about that same something.  The first is
opinion.  The second needs proof.

Key 57548DCD is the key that signs new GnuPG releases.  I believe that
this key belongs to Werner.  It would be absurdly difficult for it to
be some imposter since there have been however many GnuPG releases
over the past few years, all signed by this key.  Realistically, it is
utterly obvious that Werner is the key owner.  Would I sign this key
without meeting Werner?  No.

Perhaps a better example would be Jason Harris' key D39DA0E3.  I never
met Jason, but his key is fully valid to me because I met another
fellow and signed his key, and he in turn met Jason and signed his
key.  Am I confident that Jason's key is really D39DA0E3?  Absolutely.
Not only do I trust Douglas' signature, but Jason also signs his
email, so I see a ton of signatures coming from Jason all from key
D39DA0E3.  Still wouldn't sign it without meeting Jason in person.

Crazy, no doubt!

> For most of us, we're assuming that there is not an adversary with
> infinite resources out to get us.  If there were, I would not trust
> any signatures except my own, or those of personally trusted
> associates. (And probably not gnupg itself or this computer, but
> there it is...)

Indeed.  With trust issues it is very easy to paranoid oneself into
immobility.  The idea behind the GD is that some people are willing to
trade a (hopefully small) amount of security for a (hopefully large)
amount of usability.  The neat bit of design the PGP folks did in the
GD is that you can choose to get some of the usability features
without trading anything in security.  They left it up to the user
what tradeoff to make.


More information about the Gnupg-users mailing list