Signing a key (meaning)

takethebus at gmx.de takethebus at gmx.de
Thu Apr 7 10:31:24 CEST 2011 

Hi everybody out there,

I put some thoughts on the meaning of signing a key and came to an
unusual definition. Maybe someone likes to discuss it with me, since
I'm not quite sure whether I should recommend others to interpret
signing that way.

Definition: Signing a key means saying: "I confirm the full name in
the key's ID is the keyowner's right name. The email address in the ID
is the one the keyowner put there, but I cannot guarantee it's
his/hers.

Here are the reasons why I think this definition is handy:


1. Assumption: Only the keyowner possesses the private key.
2. Assumption: The person I do the fingerprint-check with wants to
receive a message from me. 

1. Assumption and 2. Assumption =>
1. Conclusion: The person I do the fingerprint-check with sends me
her/his own public key.

1. Assumption and 2. Assumption =>
2. Conclusion: The person I do the fingerprint-check put an email
address in the public key's ID to which she/he has access. (we know
that without taking a look at the email address AT ALL.)


3. Conclusion: If signing a key has the meaning as stated above, no
information will be revealed to persons, who were not intented as
recipient.

"3. Conclusion" is true, because there are only to possible cases:

1. Case: 
The person I do the fingerprint-check 
with puts his/her RIGHT email address in the key's ID.
I don't check the email address, but the Name in 
the ID and sign the key. 
--> No problems.

2. Case; 
The person I do the fingerprint-check 
with (let's call him Peter Hansen) 
doesn't put his, but Anna's email address (anna at web.com)
in the key's ID, because he managed to get access to it (attack). 
I don't check the email address, but the Name in 
the ID and sign the key. The ID is now: "Peter Hansen anna at web.com".
Let's say Marie somehow get's this signed key. There are again two cases:

2.1 Case: 
Marie wants to send Anna a message. 
Although she recognizes Anna's email address and 
my signature, she will not use the key, because there's
"Peter Hansen" written in the ID. 
--> No problem.

2.2 Case 
Marie wants to send Peter Hansen an encrypted email. Then she will 
use the key and send it to anna at web.de and Peter 
will even receive it, since he has access. 
--> No real problem. 

2.2 Remark: If Peter just made a mistake when typing the email 
address, he will not be able to access the message.
But that's his own fault, not mine. 

I'm grateful for answers.

Take care, 
Jan

More information about the Gnupg-users mailing list