signing a robot's key - was: Re: Global Directory signatures

Jeff Fisher jeff+gnupg at
Sat Jan 1 13:03:59 CET 2005

Hash: SHA256

On Thu, Dec 30, 2004 at 10:17:12PM -0500, David Shaw wrote:
> On Thu, Dec 30, 2004 at 10:36:57PM +0100, Jeff Fisher wrote:
> > On Thu, Dec 30, 2004 at 04:00:32PM -0500, David Shaw wrote:
> > >
> > > Still, how would you go about checking the identity of a key that
> > > identifies itself only as "PGP Global Directory Verification Key" ?  I
> > > can certainly understand that you signed the Robot CA key, but signing
> > > the GD key seems to be a leap of faith rather than actual hard
> > > knowledge.
> > 
> > It's signing keys left and right, which started this whole
> > discussion.  Is there any doubt that this particular key is anything
> > but what it purportes to be?  If so, where are the real signatures
> > from the real key that is supposed to be fullfilling this role?
> There is a difference between believing something personally, and
> making a public statement about that same something.  The first is
> opinion.  The second needs proof.
> Key 57548DCD is the key that signs new GnuPG releases.  I believe that
> this key belongs to Werner.  It would be absurdly difficult for it to
> be some imposter since there have been however many GnuPG releases
> over the past few years, all signed by this key.  Realistically, it is
> utterly obvious that Werner is the key owner.  Would I sign this key
> without meeting Werner?  No.

The difference between the two here is that the key 57548DCD purportes to be 
Werner Koch (gnupg sig) <dd9jn at>, not "GnuPG release signing key."  It
is intended for a role, but also has a link to a real person and an e-mail
address.  For this key, you would need to verify all three bits of information
for signing. 

However, for key CA57AD7C, the only bit of information on the key is: "PGP
Global Directory Verification Key."  To verify this, you only need to confirm
that it is fulfilling this role.  Indeed, there is no way that meeting someone
in meatspace can confirm this, without that person abusing the intended role
for this key, thus eroding trust in it.  In the above case, if they key had
said only "GnuPG release signing key", and had a history of signing the gnupg
releases, that would be the only verification needed to identify the key as
what it purportes to be.  Verifying that person X has control of this key is
superfluous to verfifying it's role.

- -- 
Me - jeff at


More information about the Gnupg-users mailing list