signing a robot's key - was: Re: Global Directory signatures

Neil Williams linux at
Sat Jan 1 18:22:33 CET 2005

On Saturday 01 January 2005 4:40 pm, Mark H. Wood wrote:
> On Sat, 1 Jan 2005, Neil Williams wrote:
> > But you cannot do that, you cannot prove to me that it is that key. There
> > is no way that I can verify the key because I cannot verify the UID. As
> > David said, it is trivial to create yet another PGP Global Directory
> > Verification Key - how can you prove which one is 'real'? As it would be
> > my own key, created under false pretences, I could introduce it to PGP GD
> > and sign whatever I wanted with it.
> So, looking up PGP Corporation in the phone book, calling their corporate
> headquarters, and verifying the fingerprint with a person wouldn't help?

1. You are still trusting an unknown person you've never met to give you the 
right information, just on the basis of their employer.
2. How many people will even do that? 

(And can you imagine the response from reception if we all did?)

It's still about trusting an individual - if you don't meet, you will never 
know if it's actually the right person.

David's explained why he'd sign a robot key if he was in a privileged position 
with the owner of the key - so would I in the same situation because there 
would be >=1 person who I could verify as individual(s).

Like David, I'd never sign a non-individual key otherwise.

> In that case, I was in a position to say
> publicly that I knew the key was correct.

That's my main point - I only sign if I can honestly and publicly declare that 
I KNOW and have proven that it is the correct key for the UID.

That is what I believe a signature to be.

I would hope that everyone would be willing to trust my key and keys that I 
have signed on this basis: Verify me and have confidence that the keys that I 
have signed are known to have been good at the time of signing.

Until you've verified my key and me (or someone who has signed my key) as an 
individual, you cannot hope to prove that this signature is made by the 
person claimed in the key UIDs.

You could ring me on the 'phone and ask, but you still haven't verified me - 
just my phone number. It could be anyone at the end of the phone, there's not 
even much certainty that you'd get the right number without knowing me.


Neil Williams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050101/bbdcd5c2/attachment.bin

More information about the Gnupg-users mailing list