signing a robot's key - was: Re: Global Directory signatures

Neil Williams linux at codehelp.co.uk
Sat Jan 1 21:40:56 CET 2005 

On Saturday 01 January 2005 6:01 pm, Jeff Fisher wrote:
> > > So, looking up PGP Corporation in the phone book, calling their
> > > corporate headquarters, and verifying the fingerprint with a person
> > > wouldn't help?
> >
> > 1. You are still trusting an unknown person you've never met to give you
> > the right information, just on the basis of their employer.
> > ...
> > It's still about trusting an individual - if you don't meet, you will
> > never know if it's actually the right person.
>
> But how do you verify that person created the key, or wrote the
> application?

What, at PGP? I'd never sign their key anyway.
:-)

I have to meet someone face to face, verify their photo ID, receive a printed 
copy of their key fingerprint and then verify their email address (using CA 
bot unless I already have email correspondence) and then I'll sign a key.

Seriously, I would never sign any key that cannot be verified as above. I have 
not and will not sign any automated or corporate keys that cannot be tied to 
one specific individual who can be independently verified.

I cannot prove the verification of any such keys so I will not put myself in a 
position where someone might be excused for using such a proof.

It doesn't stop me using encryption to those people that I need to use 
encryption, it doesn't stop others trusting my key on my software. I continue 
to seek out keysignings to increase the number of people who can trust my key 
and I jealously guard both the key and the system that allows people to trust 
my key.

> You would have to either trust them to tell you the truth, or 
> interview tens of people that work at their company, assuming you trusted
> their HR department to tell you that they do work there, and that they are
> in the correct department.

No, you simply don't, ever, sign their key.

If you must, use a local.

-- 

Neil Williams
=============
http://www.dclug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050101/792a7187/attachment.bin

More information about the Gnupg-users mailing list