signing a robot's key - was: Re: Global Directory signatures

Jeff Fisher jeff+gnupg at
Sat Jan 1 19:00:12 CET 2005

Hash: SHA256

On Sat, Jan 01, 2005 at 11:23:57AM -0500, David Shaw wrote:
> On Sat, Jan 01, 2005 at 01:05:01PM +0100, Jeff Fisher wrote:
> > 
> > So, you don't believe keys can exist for roles. I do. Anybody who
> > uses https in a browser without first clearing the CA list does.
> > Tens of governments do.  Hundreds (or possibly thousands) of
> > companies do.  Numbers don't make it right, but they do define what
> > actually works in the real world.
> I think that's a bit of a straw man there.  Nobody that I see in this
> discussion is plugging their ears and chanting "la la la la la" about
> the concept of role or robot keys.  Keys clearly exist for roles and
> robots, and they are clearly widely used.
> The original question I asked was not "how can you ever trust a role
> key?", but "how can you sign a role key?"  There is a difference
> between trusting and using a role or robot key for oneself, and
> publicly standing up and asserting that belief for the world.
> ...
> That conclusion, if anyone cares, is that I will happily sign a role
> or robot key if I have actual proof (rather than just firm belief)
> that the role or robot key is the right one.  I would, and have,
> signed a no-human-name hostmaster or postmaster key if I worked at the
> company they were for.  In that case, I was in a position to say
> publicly that I knew the key was correct.
> I won't sign the GD key without being in that position, though I quite
> happily use and believe the GD key is the right one.  Let me ask you
> this: did you sign the GD key?  If not, why not?  Clearly you believe,
> as I do, that it is the right key.

Ok, so I might have gone to far with the role argument there...

For me, in this case, the key and the role are the same thing.  The key only
exists for the role, and the role can only be effectively done by using a key.
If you trust the key to do the role, then I see a very small difference
between trusting it personally and telling your neigbor that you do so.

My opinions on key trust:

If it is just used for e-mail, then I only care that the key matches the
e-mail address.  The only keys trusted as introducers on my keyring are the
ones that verify this.  Had I met the person at a conference or at a
training course, I would demand no more than that -- they are in the same
class or conference because they are physically present.  Beyond that, they
can call themselves almost any name they want, as I am not trusting them
with anything that depends on their name.

However, if it is used for business / transactions, then I will not trust
anything but personally verifying the identity of the key, or a trusted
third party doing the same (but not through key signing).  For the ssl
example in another e-mail, this is getting the URL for the bank from their
literature, or a similar method.  If they used pgp, I would get the
fingerprint from their brochure.

While gpg is a great tool for encrypting and verifying e-mail, I don't put
any more trust in the WoT than I would had I met the same people on the
street.  If I don't know someone personally, I wouldn't trust them to vouch
for another person.

For the record, the only keys I have non-locally signed keys of close
friends.  For the rest, I have only signed them locally to get rid of the
'untrusted signature' message (they've sent 20 messages that verified good,
they must be doing something right), or in the case of Robot CA's, to mark them
as trusted introducers.  My setup probably needs some tuning to verify this
is working correctly, but as stated above, I won't trust anything sensitive
to pgp unless I really trust the person, and have personally verified the

I would have no problem publicly signing a Robot CA key, but because I
wouldn't trust an unknown third party (and thus assume others are similar),
I haven't seen much utility in doing so. If I believed anybody out there
had any trust in my key, then I would publicly sign them; of course after I
had verified they were working as advertised by having a key signed by

For those who've gotten this far, how many would or would not trust the WoT
(meaning beyond a friend/aquaintance, or beyond someone vouched for by a
friend/aquaintance) for transactions involving money or sensitive
information?  I'm curious if I'm just to cynical or paranoid.

- -- 
Me - jeff at


More information about the Gnupg-users mailing list