Questions about generating keys

Sven Radde sven at radde.name
Sat Aug 25 10:47:52 CEST 2007 

Hi!

Robert J. Hansen schrieb:
>> Think of it this way. Let's say you don't trust Google for some reason.
>> Then you go to https://mail.google.com, and verify that the SSL
>> certificate is correct, so you can be sure your not on a phishing site.
>> Would you now claim that the site isn't authentic, just because you don't
>> trust Google?
> 
> Darn right I wouldn't.
> 
> If I had good reason to believe Google was up to something nefarious,
> there is nothing in heaven or earth that would cause me to say "yes,
> that site is authentic."
> 
> Trust is the ultimate dealbreaker.  Always has been, always will be.

I think, it is is undefined what it means / should mean that "a site is
authentic" here.
1) If it means "the site contents are created by a particular firm", it
is not necessary to trust that firm in any way to deem the site "authentic".
2) If it means that the site content is harmless or the owner treats
personal data well or something like that, trust in the owner would be
required (in addition to trust in the ownership as such, as defined in 1).

It is the same with "trusting" keys in GnuPG. Trust, in this case, only
means that the key belongs to a particular person (by inductive
reasoning as you explained very nicely). The person itself could be a
total a**h**e but that would not prevent trust in the key.
It would not even prevent the GnuPG concept of "ownertrust". If I know
that said a**h**e, despite of his other attitudes, always takes utmost
care in verifying other people's keys, I can assign an appropriate
ownertrust.
There can also be some people that I really, really trust personally but
that are totally clueless about the correct verification procedures when
signing other people's GnuPG keys. In fact, I know some. So, despite
that I trust them, I did not assign any ownertrust to their GnuPG keys
(it's not that they would sign many keys anyway...).

As another point, think of codesigning-certificates. Just because, e.g.,
an ActiveX control is signed, it does not mean that it is safe, or
whatever property one would like to claim about its contents/functions.
It only means that it was created by the certificate owner and not
manipulated by a third party.

Summarizingly, we must note that GnuPG, SSL certificates or cryptography
as a whole can only help with point 1) mentioned above.
Everything beyond "proof of ownership/creation" is more of a social
issue that cannot be solved by crypto. However, it is impossible to do
reasoning about the contents themselves, if the ownership isn't
established first.

cu, Sven

More information about the Gnupg-users mailing list