signing a robot's key - was: Re: Global Directory signatures
jeff+gnupg at jeffenstein.dyndns.org
Sat Jan 1 19:01:47 CET 2005
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, Jan 01, 2005 at 05:22:33PM +0000, Neil Williams wrote:
> On Saturday 01 January 2005 4:40 pm, Mark H. Wood wrote:
> > On Sat, 1 Jan 2005, Neil Williams wrote:
> > > But you cannot do that, you cannot prove to me that it is that key. There
> > > is no way that I can verify the key because I cannot verify the UID. As
> > > David said, it is trivial to create yet another PGP Global Directory
> > > Verification Key - how can you prove which one is 'real'? As it would be
> > > my own key, created under false pretences, I could introduce it to PGP GD
> > > and sign whatever I wanted with it.
> > So, looking up PGP Corporation in the phone book, calling their corporate
> > headquarters, and verifying the fingerprint with a person wouldn't help?
> 1. You are still trusting an unknown person you've never met to give you the
> right information, just on the basis of their employer.
> It's still about trusting an individual - if you don't meet, you will never
> know if it's actually the right person.
But how do you verify that person created the key, or wrote the application?
You would have to either trust them to tell you the truth, or interview tens
of people that work at their company, assuming you trusted their HR department
to tell you that they do work there, and that they are in the correct
Me - jeff at jeffenstein.dyndns.org
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users