signing a robot's key - was: Re: Global Directory signatures
jeff+gnupg at jeffenstein.dyndns.org
Sat Jan 1 16:34:51 CET 2005
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, Jan 01, 2005 at 01:31:35PM +0000, Neil Williams wrote:
> But you cannot do that, you cannot prove to me that it is that key. There is
> no way that I can verify the key because I cannot verify the UID. As David
> said, it is trivial to create yet another PGP Global Directory Verification
> Key - how can you prove which one is 'real'?
What you're really saying is that it can't be proven to a level you are
willing to accept. Fortunately, PGP/GnuPG doesn't dictate this, so people can
follow whatever trust model they are willing to accept. I (and others I've
worked with) willing to accept that roles exist, and that roles cannot
neccessarily be associated to a single person. You (and others on this list)
are not. That's this discussion in a nutshell.
To use the X.509/SSL model, have you ever done a transaction involving money
in a web browser? If you have, you've implicitly told the other end of the
transaction that you trust the key (and backed it up with a monetary value).
Did you personally verify the root CA that signed the web server's
certificate. Or, did you even verify the web server's certificate? Did you
correlate either to a real-world person? Of course you didn't; you couldn't
because they are a role associated with more than one person, and those people
may or may not change more often than the key itself.
No, it's not the same system, but it has the same concept of trusting keys
that are signed by others, and keys being associated with people or entities.
> As it would be my own key,
> created under false pretences, I could introduce it to PGP GD and sign
> whatever I wanted with it.
But you couldn't put it on the PGP web site, or sign every key that is
submitted to the PGP global directory, and modify the keys in the directory to
remove the valid signature, making yours look correct. Yes, you can create a
key that looks correct, but you can't use that key in the intended role.
Anybody can create a president at whitehouse.gov key. However, nobody will trust
it because that key does not sign messages coming from
president at whitehouse.gov or respond to messages encrypted to
president at whitehouse.gov. The real PGP directory key acts in a way consistent
with it's name, which (to the people using the directory) proves it's
> > In the above
> > case, if they key had said only "GnuPG release signing key", and had a
> > history of signing the gnupg releases, that would be the only verification
> > needed to identify the key as what it purportes to be.
> Rubbish - it's not verifying the key at all, it's merely recognising what it
> purports to be.
Ok, if the definition of verify is not 'prove that something is what it claims
to be', please fill me in. Oxford lists, "establish the truth or correctness
of by examination." How would you verify a toll booth is what it says it is?
It's identity is it's function. It's identity is not who is in the booth.
> No verification has been achieved, no proof has been shown
> because none exists. You must have inside knowledge before you can sign this
> key - the UID alone is insufficient and cannot be positively identified.
> > Verifying that
> > person X has control of this key is superfluous to verfifying it's role.
> True, but that also means that this key CANNOT be verified.
For the toll booth example, do you need to know who built the toll booth to
verify that it is indeed a toll booth? Even when travelling in a foreign
country? Would you refuse to pay if you could not verify this?
On to another example, SSH. Arguably much more popular than PGP/GnuPG, with
the same concept of a key identifying an entity. How do you verify a host's
key? Do you have to insist that a host corresponds to a person or group of
people? Do you go to your local system administrator to verify the
fingerprint of the key? How do you verify that he administrates that system,
as most organizations have multiple system administration groups? In the ~7
years that I've been using ssh in system administration, I have yet to have a
single person come to me for this verification, or even hear of it happening.
> I despair at those who are willing to sign unverifiable keys, I will NOT sign
> any key that cannot be properly verified to me. I can prove that every
> signature I have made was verified - positively identified as that physical
> person, that precise key, that email address.
> I fail to see that anyone can ever deem it reasonable to sign keys when
> verification hasn't even taken place.
> A signature is NOT for your benefit - it is a testament to others that YOU
> have positively identified that person, that key and that UID and that you
> can PROVE your verification.
> People need to be able to use signatures, signing a key that is not
> identifiable to a physical person is pointless. Only a fool signs without
> verifying the physical person. If no physical person can be identified, it
> should never be signed! Simple!
You're forgetting that not everybody wants the same level of verification, or
has the same ideas about what verification means.
In the two instances where I've helped set up PGP to be used in a corporate
environment (for payroll and customer billing info), the verfication process
1) Received key on disk via fedex.
2) Made a test transaction.
3) Called the contact at the remote company to verify that the transaction did
indeed arrive and they were able to process it.
In either of these cases, the management would never have accepted, 'person x
signed the key, so we can trust it', regardless of the identity of person x.
In neither case was there a person's name on the key. Yet the financial
departement at both companies was willing to accept this idea of verification,
and back that up with large sums of money -- after if was verified to their
level of satisfaction. Are you willing to do the same with the WoT?
> Don't sign it unless you can prove it!
... to a satisfactory level.
That you have your idea of verfication and what you are willing to accept is
fine. I have a different idea. You can use yours, and I can use mine. All
this means is that I don't trust your signatures and you don't trust my
signatures, and life goes on.
Me - jeff at jeffenstein.dyndns.org
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users