signing a robot's key - was: Re: Global Directory signatures

David Shaw dshaw at jabberwocky.com
Sat Jan 1 17:23:57 CET 2005


On Sat, Jan 01, 2005 at 01:05:01PM +0100, Jeff Fisher wrote:
> On Thu, Dec 30, 2004 at 04:57:36PM -0500, Atom 'Smasher' wrote:

> > signing a key is a statement that one has checked and verified
> > that the key really belongs to the person or group identified by
> > the key. unless that verification is actually done, the only
> > statement being made is that someone is issuing bad signatures.
> 
> So, you don't believe keys can exist for roles. I do. Anybody who
> uses https in a browser without first clearing the CA list does.
> Tens of governments do.  Hundreds (or possibly thousands) of
> companies do.  Numbers don't make it right, but they do define what
> actually works in the real world.

I think that's a bit of a straw man there.  Nobody that I see in this
discussion is plugging their ears and chanting "la la la la la" about
the concept of role or robot keys.  Keys clearly exist for roles and
robots, and they are clearly widely used.

The original question I asked was not "how can you ever trust a role
key?", but "how can you sign a role key?"  There is a difference
between trusting and using a role or robot key for oneself, and
publicly standing up and asserting that belief for the world.

Please understand: I'm not criticizing your stance here, and I don't
particularly care if I persuade you or anybody to my way of thinking.
I'm genuinely interested in the opinions and rationales of people who
have given this problem thought and then arrived at a different
conclusion than I did.

That conclusion, if anyone cares, is that I will happily sign a role
or robot key if I have actual proof (rather than just firm belief)
that the role or robot key is the right one.  I would, and have,
signed a no-human-name hostmaster or postmaster key if I worked at the
company they were for.  In that case, I was in a position to say
publicly that I knew the key was correct.

I won't sign the GD key without being in that position, though I quite
happily use and believe the GD key is the right one.  Let me ask you
this: did you sign the GD key?  If not, why not?  Clearly you believe,
as I do, that it is the right key.

David



More information about the Gnupg-users mailing list