signing a robot's key - was: Re: Global Directory signatures

Jean-David Beyer jdbeyer at exit109.com
Mon Jan 3 15:11:15 CET 2005


Mark H. Wood wrote (in part):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sat, 1 Jan 2005, Neil Williams wrote:
> 
>>On Saturday 01 January 2005 4:40 pm, Mark H. Wood wrote:
>>
>>>So, looking up PGP Corporation in the phone book, calling their corporate
>>>headquarters, and verifying the fingerprint with a person wouldn't help?
>>
>>1. You are still trusting an unknown person you've never met to give you the
>>right information, just on the basis of their employer.
> 
> 
> How is this different from trusting an unknown person I've never met
> (before) on the basis of his being able to produce a couple of cards which
> have his likeness (more or less) and the name he gave me?  One reason I
> haven't been to any keysigning parties is that I wouldn't trust my ability
> to verify someone's identity.
> 

> An artificial person is a lot easier to check out than a natural person.
> Have *you* been eyeballed by SEC, D&B, the states of California and
> (probably) Delaware, and a host of commercial banks?  I haven't.  Having
> established that PGP is likely on the up and up, how likely is it that
> they wouldn't take reasonable care with the security of one of their
> services' keys, given that their entire income stream is based on a
> reputation for reasonable security?
> 
I was eyeballed by the FBI when I became a U.S.Citizen, and again when I 
needed a SECRET security clearance with the U.S.Navy's Bureau of Weapons 
(I think it was called). But you know, that may not prove anything either.

Because what is my primary document that proves I am me? And who is ME 
anyway? To establish my identity to the INS, I provided a notarized slip 
of paper from my grade school giving my name and date of birth. And my 
grade school and high school diploma. I do not remember if I had my 
college degree in hand yet (though I had earned it). But the board of 
education got that date from my father who told them. He had no documents 
to prove it (my birth certificate was destroyed in WW-II by the Nazis). 
So, if I were a hyperskeptic, I could not be sure the guy I grew up with 
is really my father, nor could I really know my exact age. But the Bureau 
of Weapons was satisfied that I (or whoever they thought they 
investigated) would not betray their secrets. And how did I get access to 
their secrets? I went to where the secrets were kept, told my name to the 
person at the desk at the front door, where guards with submachine guns 
were standing around, and they asked where my clearance was. I told them 
Johnsville, MD., they telephoned someone, and I walked in. They did not 
even check my driver's license (no photo id in those days) to see if I 
were who I said I was.

-- 
   .~.  Jean-David Beyer          Registered Linux User 85642.
   /V\  PGP-Key: 9A2FC99A         Registered Machine   241939.
  /( )\ Shrewsbury, New Jersey    http://counter.li.org
  ^^-^^ 08:55:00 up 2 days, 22:14, 3 users, load average: 4.26, 4.24, 4.19




More information about the Gnupg-users mailing list