signing a robot's key - was: Re: Global Directory signatures

Sat Jan 1 14:31:35 CET 2005

On Saturday 01 January 2005 12:03 pm, Jeff Fisher wrote:
> The difference between the two here is that the key 57548DCD purportes to
> be Werner Koch (gnupg sig) <dd9jn at gnu.org>, not "GnuPG release signing
> key."  It is intended for a role, but also has a link to a real person and
> an e-mail address.  For this key, you would need to verify all three bits
> of information for signing.
>
> However, for key CA57AD7C, the only bit of information on the key is: "PGP
> Global Directory Verification Key."  To verify this, you only need to
> confirm that it is fulfilling this role.

But you cannot do that, you cannot prove to me that it is that key. There is 
no way that I can verify the key because I cannot verify the UID. As David 
said, it is trivial to create yet another PGP Global Directory Verification 
Key - how can you prove which one is 'real'? As it would be my own key, 
created under false pretences, I could introduce it to PGP GD and sign 
whatever I wanted with it. 

Without verifying the UID you cannot verify the key.

Without verifying the key, you cannot prove that the key is genuine.

Without proof that the key is genuine, you must NOT sign the key!!!

> Indeed, there is no way that 
> meeting someone in meatspace can confirm this, without that person abusing
> the intended role for this key, thus eroding trust in it.

Exactly, so the key is impossible for those outside PGP to verify. Unless you 
have inside knowledge of who really created that key and who has access to 
the secret key, you CANNOT verify that key.

> In the above 
> case, if they key had said only "GnuPG release signing key", and had a
> history of signing the gnupg releases, that would be the only verification
> needed to identify the key as what it purportes to be.

Rubbish - it's not verifying the key at all, it's merely recognising what it 
purports to be. No verification has been achieved, no proof has been shown 
because none exists. You must have inside knowledge before you can sign this 
key - the UID alone is insufficient and cannot be positively identified.

> Verifying that 
> person X has control of this key is superfluous to verfifying it's role.

True, but that also means that this key CANNOT be verified.

I despair at those who are willing to sign unverifiable keys, I will NOT sign 
any key that cannot be properly verified to me. I can prove that every 
signature I have made was verified - positively identified as that physical 
person, that precise key, that email address.

I fail to see that anyone can ever deem it reasonable to sign keys when 
verification hasn't even taken place.

A signature is NOT for your benefit - it is a testament to others that YOU 
have positively identified that person, that key and that UID and that you 
can PROVE your verification.

People need to be able to use signatures, signing a key that is not 
identifiable to a physical person is pointless. Only a fool signs without 
verifying the physical person. If no physical person can be identified, it 
should never be signed! Simple!

Don't sign it unless you can prove it!

-- 

Neil Williams
=============
http://www.dclug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050101/620a4cf4/attachment.bin