Signing a Key

Jason Harris jharris at widomaker.com
Sat Feb 5 00:51:31 CET 2005


On Fri, Feb 04, 2005 at 03:48:31PM -0500, David Shaw wrote:
> On Fri, Feb 04, 2005 at 02:57:08PM -0500, Jason Harris wrote:
> > On Fri, Feb 04, 2005 at 01:39:05PM -0500, David Shaw wrote:

> > > Some people decided that since a level 1 "I didn't check at all"
> > > signature type was available, that it was a Real Good Idea to sign
> > > every single key they saw.
> > 
> > In the 2005-01-23 keyanalyze keydump, there are 2896 0x11 (userid cert.)
> > sigs. from 589 issuers (unique long keyids).  296 issuers (50%) only
> > issued one 0x11 sig. and 560 (95%) issued less than ten 0x11 sigs.
> > 0x10581685C521097E (Kyle's RobotCA instance) is responsible for 592
> > such sigs, or 20%, 0x6EA7FB4DE0BB4BCD (telering.at's RobotCA instance)
> > issued 217, or 7.5%, and 0x25360A719C851DF1 (ImperialViolet) issued 127.
> > Only two individuals issued more 0x11 sigs than my 40.
> 
> I'm afraid I don't see the point you're trying to make.

Looking at the stats, the number of people issuing 0x11 signatures
doesn't seem worrisome, and having issued 40 such sigs myself, there
are only two individuals I'd question about issuing even more
(specifically, 69 and 52) 0x11 signatures.

Furthermore, since the RFC allows one to explicitly assert (quoting
draft-ietf-openpgp-rfc2440bis-12.txt):

   0x11: Persona certification of a User ID and Public Key packet.
       The issuer of this certification has not done any verification
       of the claim that the owner of this key is the User ID
       specified.

rather than always just:

   0x10: Generic certification of a User ID and Public Key packet.
       The issuer of this certification does not make any particular
       assertion as to how well the certifier has checked that the
       owner of the key is in fact the person described by the User ID.
       Note that all PGP "key signatures" are this type of
       certification.

I feel everyone should be given the opportunity to do so.  Per the RFC,
0x11 sigs don't even require email verification, so I see no harm in
allowing one to state "I checked nothing" v. "I won't tell you what I
did and/or didn't check."  Even requiring a policy URL or other
explanation/justification for each signature won't allow us to determine
the _highly subjective_ nature of one's signature levels in any automated
way, by definition in the RFC:

       Please note that the vagueness of these certification claims is
       not a flaw, but a feature of the system. Because PGP places
       final authority for validity upon the receiver of a
       certification, it may be that one authority's casual
       certification might be more rigorous than some other authority's
       positive certification. These classifications allow a
       certification authority to issue fine-grained claims.

so we may as well resign ourselves to this fact.

(Thus, GPG's --min-cert-level probably needs to be settable per signer -
after reviewing the signer's policies - to account for these differences.)

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050204/ea4e2bf1/attachment.pgp


More information about the Gnupg-users mailing list