signing a robot's key - was: Re: Global Directory signatures

Jean-David Beyer jdbeyer at exit109.com
Sun Jan 2 03:54:53 CET 2005 

Neil Williams wrote (in part):
> On Saturday 01 January 2005 9:07 pm, you wrote:
> 
>>This is something I still do not understant about the WOT and signing
>>other people's keys. I even signed a person's key once. I did not know
>>him, but we met face-to-face and he brought his US Government Passport
>>that had his picture in it and it matched him quite well. Simililarly, I
>>brought my US Government Passport that had my picture in it and I even
>>wore the same sweater that I wore when the picture was taken. He brought
>>his fingerprint, as I did mine. We then exchanged signed encrypted e-mails
>>where I sent him a message with an encrypted string in it that looks like
>>something the password in the /etc/shadow file which he encrypted and sent
>>back. It matched. 
> 
>>But really, I do not know who he is. I am not claiming I signed his key
>>with insufficient care. But I may have. I know he has access to the
>>private key corresponding to the fingerprint he showed me. Is that enough?
> 
> Yes. It's not a statement of his character, just a statement that he is 
> correctly identified by the key UID and that he can prove his identity.

He is pretty clearly the guy on his passport. He gave me the fingerprint 
and pgp-key id that he wanted signed. I get e-mail clearly signed and 
encrypted with that key. That e-mail can be decrypted with the public key 
corresponding to that key id on keyservers.
> 
> You presumably had a chance to chat to him, you corresponded at least briefly 
> by email . . . It takes a little effort to keep things going - whatever 
> brought you together is presumably a common interest, it doesn't hurt to 
> remain in communication.

As far as I know, our only common interest was to get signatures other 
than our own on our keys.

>>For all I know, the poor owner of the machine(s) where that secret key
>>resides is tied up in a warehouse somewhere, and this guy is a fraud.
> 
> He would still need the passphrase, not just access to the secret key.

Thank you: I forgot about that. I hope his passphrase is at least as 
difficult as mine.
> 
> He would also need to have changed the key UID to match the identity on the 
> photo ID that he provided for you to see. The keyserver will show this - it 
> doesn't delete old UID's, most just add the new one.
> 
> The easiest way to allay your fears is to continue communication with him - 
> signed and occasionally encrypted. Also, don't worry about this being the 
> only one - as you get more signatures, the reliance on any one dud becomes 
> less important.
> 
> Once you get signed by a key in the strong set, it reduces further. This whole 
> WoT is about weight of numbers.
> 
>>So I have signed only one person's key, and only he has signed mine. I get
>>no use from gnupg because no one I know has the slightest interest in
>>secure communications.
> 
> 
> You're on the list, it would be useful to sign your messages to the list.

I guess so, but I use the mailer in Mozilla, and I can never find a 
version of enigmail that works with the Mozilla I have.
> 
> (BTW, did you mean for this to come only to me?

No: I bungled it, but realized it (too late) and sent a copy to the list.

> Can we keep replies on the 
> list so that everyone benefits, please?)

Yes: I still cannot get used to the fact that on this mailing list if I 
click "Reply" it replies to the person, even though I got the e-mail from 
the list. I wish it would not do that. The other mailing lists to which I 
subscribe reply to the list.
I see there is a *Mail-Followup-To: gnupg-users at gnupg.org* header, but not 
the usual *Reply-To:* My guess is that Mozilla honors Reply-To but not the 
other.
> 
> The best way of getting your key in use is to use it!
> :-)

Yes, but other lists complain bitterly if messages are signed.
> 
> Get across to biglumber (URL in my sig) and enter your key. That will at least 
> make it clear to others in your area and allow you to see who else is 
> interested in your locality. See if your local LUG has keysignings, get along 
> to a nearby Expo or conference. These things take time and you can't expect 
> signatures to drop out of the air.

I have entered my key on biglumber in the past. Also, you and I have 
exchanged keys, even though you are unable to say if I am who I say I am.
> 
> You need to let people see that you have a key and like to use it. 
> 
> Stick your key ID in your sig. Sign all your email.

No good. If I sign e-mail to AOL users, and include any attachment of any 
kind, they cannot handle it because AOL's brain-damaged e-mail software 
assumes all attachments are of the same type.

-- 
   .~.  Jean-David Beyer           Registered Linux User 85642.
   /V\                             Registered Machine   241939.
  /( )\ Shrewsbury, New Jersey     http://counter.li.org
  ^^-^^ 20:55:00 up 1 day, 10:13, 3 users, load average: 4.19, 4.22, 4.10

More information about the Gnupg-users mailing list