signing a robot's key - was: Re: Global Directory signatures

Mark H. Wood mwood at IUPUI.Edu
Sun Jan 2 18:09:22 CET 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 1 Jan 2005, Neil Williams wrote:
> On Saturday 01 January 2005 4:40 pm, Mark H. Wood wrote:
> > So, looking up PGP Corporation in the phone book, calling their corporate
> > headquarters, and verifying the fingerprint with a person wouldn't help?
>
> 1. You are still trusting an unknown person you've never met to give you the
> right information, just on the basis of their employer.

How is this different from trusting an unknown person I've never met
(before) on the basis of his being able to produce a couple of cards which
have his likeness (more or less) and the name he gave me?  One reason I
haven't been to any keysigning parties is that I wouldn't trust my ability
to verify someone's identity.

*All personal identification is role-based.*  It just depends on which
role is important to you.  Do you care that I'm the child of my parents?
employed by a certain employer? the author of a body of emails? the person
living at suchandso address? the person who bought the property at
suchandso address? the person who put money into your bank, or borrowed
money from your bank?  Those are all me.  It's reasonable for various
entities to care about some of those roles and not others, and to be
satisfied with any sufficiently trustworthy binding to the significant
role regardless of any bindings to any other roles.  My bank doesn't care
whose high-school grades those are.

"Who are you" is a devilish difficult question to answer, or even to
understand.

And no matter how you verify someone's identity, you're still playing
probabilities.  Someone could knife me in an alley, destroy the body,
submit to plastic surgery until he looks and sounds just like me, learn my
handwriting and my style and habits, and essentially become me in any way
you might test.  He's got my primary identity documents, after all.  How
likely is that, though?  Now how likely is it that someone marched into
PGP's HQ, shot the receptionist, and is calmly sitting by the phone while
guards are running to find out what the noise was, just when my call comes
in?  (How likely is it that the receptionist is allowed to verify the
company's key fingerprints anyway?)

Bad guys *could* do all kinds of sneaky things, but how likely is it,
what would it cost them, and would they be able to recover the cost
(including the cost of being found out)?  Is it worth the expectation of
trading a nice job for a cell to trick me (that is, nobody) into signing a
bogus key purporting to be from a low-security thing like this?

An artificial person is a lot easier to check out than a natural person.
Have *you* been eyeballed by SEC, D&B, the states of California and
(probably) Delaware, and a host of commercial banks?  I haven't.  Having
established that PGP is likely on the up and up, how likely is it that
they wouldn't take reasonable care with the security of one of their
services' keys, given that their entire income stream is based on a
reputation for reasonable security?

I'd be more likely to trust an unknown person bound to a large business by
a trusted introducer (the telco) than an unknown person with only his own
name for identification, when the former's job and freedom are on the
line and the latter's likely not.

- -- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQFB2CrKs/NR4JuTKG8RAnb9AJ4nZlajoOciTDoypuBiK8VkeE9dtgCgkTEy
I250cSL5Fk3iao8rCZavBtQ=
=oZU2
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list