signing a robot's key - was: Re: Global Directory signatures
jdbeyer at exit109.com
Sun Jan 2 03:54:53 CET 2005
Neil Williams wrote (in part):
> On Saturday 01 January 2005 9:07 pm, you wrote:
>>This is something I still do not understant about the WOT and signing
>>other people's keys. I even signed a person's key once. I did not know
>>him, but we met face-to-face and he brought his US Government Passport
>>that had his picture in it and it matched him quite well. Simililarly, I
>>brought my US Government Passport that had my picture in it and I even
>>wore the same sweater that I wore when the picture was taken. He brought
>>his fingerprint, as I did mine. We then exchanged signed encrypted e-mails
>>where I sent him a message with an encrypted string in it that looks like
>>something the password in the /etc/shadow file which he encrypted and sent
>>back. It matched.
>>But really, I do not know who he is. I am not claiming I signed his key
>>with insufficient care. But I may have. I know he has access to the
>>private key corresponding to the fingerprint he showed me. Is that enough?
> Yes. It's not a statement of his character, just a statement that he is
> correctly identified by the key UID and that he can prove his identity.
He is pretty clearly the guy on his passport. He gave me the fingerprint
and pgp-key id that he wanted signed. I get e-mail clearly signed and
encrypted with that key. That e-mail can be decrypted with the public key
corresponding to that key id on keyservers.
> You presumably had a chance to chat to him, you corresponded at least briefly
> by email . . . It takes a little effort to keep things going - whatever
> brought you together is presumably a common interest, it doesn't hurt to
> remain in communication.
As far as I know, our only common interest was to get signatures other
than our own on our keys.
>>For all I know, the poor owner of the machine(s) where that secret key
>>resides is tied up in a warehouse somewhere, and this guy is a fraud.
> He would still need the passphrase, not just access to the secret key.
Thank you: I forgot about that. I hope his passphrase is at least as
difficult as mine.
> He would also need to have changed the key UID to match the identity on the
> photo ID that he provided for you to see. The keyserver will show this - it
> doesn't delete old UID's, most just add the new one.
> The easiest way to allay your fears is to continue communication with him -
> signed and occasionally encrypted. Also, don't worry about this being the
> only one - as you get more signatures, the reliance on any one dud becomes
> less important.
> Once you get signed by a key in the strong set, it reduces further. This whole
> WoT is about weight of numbers.
>>So I have signed only one person's key, and only he has signed mine. I get
>>no use from gnupg because no one I know has the slightest interest in
> You're on the list, it would be useful to sign your messages to the list.
I guess so, but I use the mailer in Mozilla, and I can never find a
version of enigmail that works with the Mozilla I have.
> (BTW, did you mean for this to come only to me?
No: I bungled it, but realized it (too late) and sent a copy to the list.
> Can we keep replies on the
> list so that everyone benefits, please?)
Yes: I still cannot get used to the fact that on this mailing list if I
click "Reply" it replies to the person, even though I got the e-mail from
the list. I wish it would not do that. The other mailing lists to which I
subscribe reply to the list.
I see there is a *Mail-Followup-To: gnupg-users at gnupg.org* header, but not
the usual *Reply-To:* My guess is that Mozilla honors Reply-To but not the
> The best way of getting your key in use is to use it!
Yes, but other lists complain bitterly if messages are signed.
> Get across to biglumber (URL in my sig) and enter your key. That will at least
> make it clear to others in your area and allow you to see who else is
> interested in your locality. See if your local LUG has keysignings, get along
> to a nearby Expo or conference. These things take time and you can't expect
> signatures to drop out of the air.
I have entered my key on biglumber in the past. Also, you and I have
exchanged keys, even though you are unable to say if I am who I say I am.
> You need to let people see that you have a key and like to use it.
> Stick your key ID in your sig. Sign all your email.
No good. If I sign e-mail to AOL users, and include any attachment of any
kind, they cannot handle it because AOL's brain-damaged e-mail software
assumes all attachments are of the same type.
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 20:55:00 up 1 day, 10:13, 3 users, load average: 4.19, 4.22, 4.10
More information about the Gnupg-users