trust your corporation for keyowner identification?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Nov 7 19:40:22 CET 2013
On 11/07/2013 11:09 AM, Leo Gaspard wrote:
> Except they do not have to know X, nor that he makes perfectly reasonable
> decisions in signing keys.
>
> And I believe it's not noise. Let's make an example in the real world :
> * I would entrust X with my life
> * X would entrust Y with his life, without my knowing it
> * Thus, if I actually entrusted X with my life, why should I be frightened if X
> asked Y to take care of me ? Provided, of course, X told me he was letting Y
> take care of me. After all, I would entrust X with my life, so I should just
> agree to any act he believes is good for me.
> (That's what I called blind trust. Somewhat more than full trust, I believe.)
if we're talking about gpg's concept of "ownertrust", please do not
muddy the waters with "entrust X with my life"? gpg's "ownertrust" is
much more narrow than that: it says "I am willing to rely on OpenPGP
certifications made by the holder of this key".
"entrust with my life" is not simply a superset of all other trust. I
have friends who would take care of me if i was deathly ill. I would
place my life in their hands. But they have never thought about how to
do rigorous cryptographic identity certification, and I would not rely
on their OpenPGP certifications.
>> Let's get back to ownertrust: in the Web of Trust, ownertrust is an expression
>> of how well you think other people verify identities before they sign a key. If
>> you sign key K2 based on X's signature, you haven't verified Y's identity.
>> You've probably verified X's identity, but not Y's. So you shouldn't sign K2.
>
> So, is a signature a matter of belief in the validity of the key or of actual
> work to verify the key ?
An OpenPGP certification says "I believe that Key X belongs to the
person identified by User ID U". Most people would not want to make
that statement publicly without having thought about it and convinced
themselves somehow that it is true. What it takes to convince each
person may well vary, which is why we assign different ownertrust to
different people. When making a public assertion like an OpenPGP
certification, it is also probably reasonable to ask what the parties
involved (or the rest of the world) gains from making that statement.
Just because you believe a statement to be true doesn't mean you need to
make it publicly, with strong cryptographic assurances, and it may have
bad consequences.
Also, consider that certifications are not necessarily forever. If
Alice relies solely on Carol's certification to believe that key X
belongs to Bob, and Alice then certifies (Bob,X), what does Alice do if
Carol revokes her certification? If Alice doesn't pay attention and
revoke her own certification, then she is announcing as fact to the
world something that she should no longer believe to be true (assuming
that she was relying only on Carol's certification for that belief).
This sounds like an untenable maintenance situation I personally would
rather avoid, which is why i do not make public certifications based
solely on other people's certifications.
> If I understood correctly, the depth parameter you are talking about is useless,
> except in case there are trust signature. And you agreed with me for them to be
> taken out of the equation.
The depth parameter is useful even without trust signatures. Peter
Lebbings response upthread describes the scenario.
Regards,
--dkg
More information about the Gnupg-users
mailing list