Signing

[Grant Olson]

On 1/2/2011 7:19 PM, Robert J. Hansen wrote:
> On 1/2/2011 7:11 PM, takethebus at gmx.de wrote:
>> When signing a public key's user ID, the statement I'm making is: "I
>> believe that this key belongs to the person described by the name and
>> the comment in the user ID."
> 
> There is no fixed semantic meaning for a signature.  Each signer is
> responsible for deciding what their signature means.  Some people sign
> keys and mean nothing more than, "I have successfully exchanged emails
> with this address."  Some people are quite a bit more paranoid.  :)
> 

And of course there are also no fixed semantics for the UID.  It's just
a random string.  gpg arguably obscures this by asking you three
questions when generating the ID, but the ID string can be anything.

So ultimately, a signature is saying "I believe this arbitrary ID,
whatever it is, is valid, by whatever method I used to validate it."
OpenPGP lets you describe your own security model, which is its blessing
and its curse. ;-)

That's where the trust rating comes into play.  It's how much you trust
another person to sign keys in a way you consider appropriate.  Validity
is how much you 'trust' that the key itself is valid.  That can be a bit
confusing at first.

I for one trust the PGP Global Directory just fine, at least for casual
communication.  That performs the opposite certification that we're
talking about.  It validates that the email address is controlled by the
key owner (baring a man-in-the-middle attack), and does nothing to
validate the person himself.

But anyway, I'd be reluctant to sign a key that said something like
"Grant Olson (Nightwatch Division) <tips at fbi.gov>" if I knew this person
had no affiliation with the FBI, or didn't know that he did, whether or
not I thought the owner of the key could exploit the bogus email address.

-- 
Grant

"Can you construct some sort of rudimentary lathe?"