signing a robot's key - was: Re: Global Directory signatures
linux at codehelp.co.uk
Sat Jan 1 14:31:35 CET 2005
On Saturday 01 January 2005 12:03 pm, Jeff Fisher wrote:
> The difference between the two here is that the key 57548DCD purportes to
> be Werner Koch (gnupg sig) <dd9jn at gnu.org>, not "GnuPG release signing
> key." It is intended for a role, but also has a link to a real person and
> an e-mail address. For this key, you would need to verify all three bits
> of information for signing.
> However, for key CA57AD7C, the only bit of information on the key is: "PGP
> Global Directory Verification Key." To verify this, you only need to
> confirm that it is fulfilling this role.
But you cannot do that, you cannot prove to me that it is that key. There is
no way that I can verify the key because I cannot verify the UID. As David
said, it is trivial to create yet another PGP Global Directory Verification
Key - how can you prove which one is 'real'? As it would be my own key,
created under false pretences, I could introduce it to PGP GD and sign
whatever I wanted with it.
Without verifying the UID you cannot verify the key.
Without verifying the key, you cannot prove that the key is genuine.
Without proof that the key is genuine, you must NOT sign the key!!!
> Indeed, there is no way that
> meeting someone in meatspace can confirm this, without that person abusing
> the intended role for this key, thus eroding trust in it.
Exactly, so the key is impossible for those outside PGP to verify. Unless you
have inside knowledge of who really created that key and who has access to
the secret key, you CANNOT verify that key.
> In the above
> case, if they key had said only "GnuPG release signing key", and had a
> history of signing the gnupg releases, that would be the only verification
> needed to identify the key as what it purportes to be.
Rubbish - it's not verifying the key at all, it's merely recognising what it
purports to be. No verification has been achieved, no proof has been shown
because none exists. You must have inside knowledge before you can sign this
key - the UID alone is insufficient and cannot be positively identified.
> Verifying that
> person X has control of this key is superfluous to verfifying it's role.
True, but that also means that this key CANNOT be verified.
I despair at those who are willing to sign unverifiable keys, I will NOT sign
any key that cannot be properly verified to me. I can prove that every
signature I have made was verified - positively identified as that physical
person, that precise key, that email address.
I fail to see that anyone can ever deem it reasonable to sign keys when
verification hasn't even taken place.
A signature is NOT for your benefit - it is a testament to others that YOU
have positively identified that person, that key and that UID and that you
can PROVE your verification.
People need to be able to use signatures, signing a key that is not
identifiable to a physical person is pointless. Only a fool signs without
verifying the physical person. If no physical person can be identified, it
should never be signed! Simple!
Don't sign it unless you can prove it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050101/620a4cf4/attachment.bin
More information about the Gnupg-users