signing a robot's key - was: Re: Global Directory signatures
Neil Williams
linux at codehelp.co.uk
Sat Jan 1 21:40:56 CET 2005
On Saturday 01 January 2005 6:01 pm, Jeff Fisher wrote:
> > > So, looking up PGP Corporation in the phone book, calling their
> > > corporate headquarters, and verifying the fingerprint with a person
> > > wouldn't help?
> >
> > 1. You are still trusting an unknown person you've never met to give you
> > the right information, just on the basis of their employer.
> > ...
> > It's still about trusting an individual - if you don't meet, you will
> > never know if it's actually the right person.
>
> But how do you verify that person created the key, or wrote the
> application?
What, at PGP? I'd never sign their key anyway.
:-)
I have to meet someone face to face, verify their photo ID, receive a printed
copy of their key fingerprint and then verify their email address (using CA
bot unless I already have email correspondence) and then I'll sign a key.
Seriously, I would never sign any key that cannot be verified as above. I have
not and will not sign any automated or corporate keys that cannot be tied to
one specific individual who can be independently verified.
I cannot prove the verification of any such keys so I will not put myself in a
position where someone might be excused for using such a proof.
It doesn't stop me using encryption to those people that I need to use
encryption, it doesn't stop others trusting my key on my software. I continue
to seek out keysignings to increase the number of people who can trust my key
and I jealously guard both the key and the system that allows people to trust
my key.
> You would have to either trust them to tell you the truth, or
> interview tens of people that work at their company, assuming you trusted
> their HR department to tell you that they do work there, and that they are
> in the correct department.
No, you simply don't, ever, sign their key.
If you must, use a local.
--
Neil Williams
=============
http://www.dclug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050101/792a7187/attachment.bin
More information about the Gnupg-users
mailing list