signing a robot's key - was: Re: Global Directory signatures

[Jeff Fisher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, Dec 30, 2004 at 10:17:12PM -0500, David Shaw wrote:
> On Thu, Dec 30, 2004 at 10:36:57PM +0100, Jeff Fisher wrote:
> > On Thu, Dec 30, 2004 at 04:00:32PM -0500, David Shaw wrote:
> > >
> > > Still, how would you go about checking the identity of a key that
> > > identifies itself only as "PGP Global Directory Verification Key" ?  I
> > > can certainly understand that you signed the Robot CA key, but signing
> > > the GD key seems to be a leap of faith rather than actual hard
> > > knowledge.
> > 
> > It's signing keys left and right, which started this whole
> > discussion.  Is there any doubt that this particular key is anything
> > but what it purportes to be?  If so, where are the real signatures
> > from the real key that is supposed to be fullfilling this role?
> 
> There is a difference between believing something personally, and
> making a public statement about that same something.  The first is
> opinion.  The second needs proof.
> 
> Key 57548DCD is the key that signs new GnuPG releases.  I believe that
> this key belongs to Werner.  It would be absurdly difficult for it to
> be some imposter since there have been however many GnuPG releases
> over the past few years, all signed by this key.  Realistically, it is
> utterly obvious that Werner is the key owner.  Would I sign this key
> without meeting Werner?  No.

The difference between the two here is that the key 57548DCD purportes to be 
Werner Koch (gnupg sig) <dd9jn at gnu.org>, not "GnuPG release signing key."  It
is intended for a role, but also has a link to a real person and an e-mail
address.  For this key, you would need to verify all three bits of information
for signing. 

However, for key CA57AD7C, the only bit of information on the key is: "PGP
Global Directory Verification Key."  To verify this, you only need to confirm
that it is fulfilling this role.  Indeed, there is no way that meeting someone
in meatspace can confirm this, without that person abusing the intended role
for this key, thus eroding trust in it.  In the above case, if they key had
said only "GnuPG release signing key", and had a history of signing the gnupg
releases, that would be the only verification needed to identify the key as
what it purportes to be.  Verifying that person X has control of this key is
superfluous to verfifying it's role.

- -- 
Me - jeff at jeffenstein.dyndns.org
-----BEGIN PGP SIGNATURE-----

iQIVAwUBQdaRrxwPMBUZyYf1AQhbYhAApR+5NpcnkzXK1MegLe7OcrR8FREUtBlf
AaTQtoPYB+UrZ10elTUKUDJJTlN0XE+AZKvVhvN4rN/OyARweYM0sMIOmhl2+EMb
h1tT1axGXAHapGWsvQ+bkk8lfq77h1hkE/jEB91Rlg1D+lSdELS3k5IF5Q8IcnSl
wTsgQ3o1eRGldd30CT+GONuggbgOTpjwZXarRspODlsLZvQM9z+/AvjX9sea8KI4
o1PWMLB+WhuF7ghvn0/O2DZvRkP9FZvRha4kLQrydVv9iG5L5djMZmwD6fj22I4q
9nrM4F27olVjuIc8KPnYqOpbTB7J59ppFWy4rj73dDNggYZp6BgHjRRfAMIDYAPG
THOzQj6wRjFaTkDj10uprDNmIXU0sOOQVDo/3sbQ619tnkmjRfjq9S2lqhZ90jbp
FU3Nlv1NjkHh4HsSYZVmJD0bQNWg7Jesak449XvCjcavaP1ix62gApsdXpi2cj82
OZfXQL72BmQvBjn65Tb+aBcH+2+OG4+Tkx3p9vR9ehVgVr1Wje5P12zqtS1RmzUs
RDXiN6cFJO99iN2IIsr9wedoXhoVXiPDOfyqGIuHfXL56zeUrf363L8MqdSC6Q8e
i8sj8puGgcGP9EPs/bAUNnbLRKCGamT9GyG5C3LbP81ZCRKWUOmb/v4odsl8zkpO
gnc29n0Ozk0=
=4crS
-----END PGP SIGNATURE-----