Questions about generating keys
Robert J. Hansen
rjh at sixdemonbag.org
Sat Aug 25 15:00:07 CEST 2007
Sven Radde wrote:
> 1) If it means "the site contents are created by a particular firm",
> it is not necessary to trust that firm in any way to deem the site
> "authentic".
How do you know it's created by a particular firm? Who told you? How
did you find out? What's the provenance of your information? How was
it conveyed to you?
Ultimately, you trust _someone_. Which is precisely the point I made:
trust underlies everything. Without that fundamental trust, there's no
point talking about authenticity.
Each person gets to decide for themselves what are the fundamental
questions of trust, as well as answers to those questions. These are
the holiest of the holies in a security policy; these are heartbeats
that animate every policy and mechanism. Where does the trust lie, and
what implications does this trust--or lack thereof--have on the rest of
the system?
> It is the same with "trusting" keys in GnuPG. Trust, in this case,
> only means that the key belongs to a particular person (by inductive
> reasoning as you explained very nicely).
No disagreement, but a terminology note: the terms "keytrust" and
"ownertrust" appear to be on their way out, replaced by "validity" and
"trust". Speaking for myself, I like this change; it seems to reduce
confusion in newcomers.
> The person itself could be a total a**h**e but that would not prevent
> [key validity].
This was pointed out in my post. At some point you say "I trust them
because I trust them." If you choose to trust someone despite knowing
they are fundamentally untrustworthy, that's your choice, and I don't
have any say in it.
As for me, I choose not to trust people I consider fundamentally
untrustworthy. Nobody else has a say in that, either.
> If I know that said a**h**e, despite of his other attitudes, always
> takes utmost care in verifying other people's keys, I can assign an
> appropriate ownertrust.
This is not about being nice or being a jerk.
Authenticity != trust != niceness. While authenticity is dependent upon
trust, niceness appears orthogonal to them both.
> As another point, think of codesigning-certificates. Just because,
> e.g., an ActiveX control is signed, it does not mean that it is safe,
Correct. On the other hand, if it's signed by someone you trust
(there's that word again), then there's no reason not to use it. After
all, its provenance is vouched by the signature... the signature is
vouched by the key... the key is vouched by some trust relationship...
and ultimately you reach the "I trust it because I say so and it's my
choice" point.
> or whatever property one would like to claim about its
> contents/functions. It only means that it was created by the
> certificate owner and not manipulated by a third party.
The signature only says the certificate owner vouches for the provenance
of the code, not necessarily that the author vouches for it. Unless you
have the special case where the signer is the same as the author.
More information about the Gnupg-users
mailing list