signing a robot's key - was: Re: Global Directory signatures

Jeff Fisher jeff+gnupg at jeffenstein.dyndns.org
Sat Jan 1 19:01:47 CET 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sat, Jan 01, 2005 at 05:22:33PM +0000, Neil Williams wrote:
> On Saturday 01 January 2005 4:40 pm, Mark H. Wood wrote:
> > On Sat, 1 Jan 2005, Neil Williams wrote:
> > > But you cannot do that, you cannot prove to me that it is that key. There
> > > is no way that I can verify the key because I cannot verify the UID. As
> > > David said, it is trivial to create yet another PGP Global Directory
> > > Verification Key - how can you prove which one is 'real'? As it would be
> > > my own key, created under false pretences, I could introduce it to PGP GD
> > > and sign whatever I wanted with it.
> >
> > So, looking up PGP Corporation in the phone book, calling their corporate
> > headquarters, and verifying the fingerprint with a person wouldn't help?
> 
> 1. You are still trusting an unknown person you've never met to give you the 
> right information, just on the basis of their employer.
> ...
> It's still about trusting an individual - if you don't meet, you will never 
> know if it's actually the right person.

But how do you verify that person created the key, or wrote the application?
You would have to either trust them to tell you the truth, or interview tens
of people that work at their company, assuming you trusted their HR department
to tell you that they do work there, and that they are in the correct
department.

- -- 
Me - jeff at jeffenstein.dyndns.org
-----BEGIN PGP SIGNATURE-----

iQIVAwUBQdblixwPMBUZyYf1AQgv4w/8DFHM/U2EiSuhvxw5F3vCtZvfXHTjmjJp
ypoEJMGHnfaf277rujoWtcMWYo04OKriGIWfHTpBwHnSVe3un3u5iZOLE/JU4t1D
byUkMrifC6AZ3ASOh4hhZzD65Ohn8+hB2Bl7ofFdKaoJL9wS7kpupC5sriWSkdcC
N/r7FrFDW0fEPPjgUuKuBUu9O0OHfd6L7Z3REjLvPY6bWsL+24ZjZipqd6OEccZ+
2X0ceUTvhBO1qldt/XTRfRZ4Wihzl2+gxmO30EpVWtVykmJ1laj5kesz51lF/8No
uhJM59gbyDm53/vbwUmozs30GmTvZ1fpaoJ5VjQPKLQoCLBv4Aabm96Pit20yCkS
8oMJTXNztuAanpsBh03tSZFCTzea0iIiq+q5ezGm3NAwdNMaRw1CjIi1oVzVj3Qo
/V/CQ3fnxFctV11Jwr+3/DN5+Ph7Vr0gCb+ZFIHyZrMrmGBzGUxA1QBbM0wrRGlz
BYjo1kA/sRxqx3q8MW2TPyhbd9Ef2dEXo2zRSGo3eKbEHgWs5DMWbMRnjhGslLwO
CkvQwVozAJlSjdtpyW4Zqj5CKecg8fNup4MxSrUpfLSMumeGk1u1c+DGFGo3zu6E
IH6ub237ZosDOglOOjmrbEbq37HsVLijlRjUB3yIzVJMGIAjEjHeJx8FdWRmn2Xk
h8BAPIhgF/M=
=6CxW
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list