trust your corporation for keyowner identification?

Peter Lebbing peter at digitalbrains.com
Fri Oct 18 11:37:00 CEST 2013


On 18/10/13 08:41, Werewolf wrote:
> Now what if the Company/HR department had a Notary public, for their
> documents, and this same Notary had a gpg key he/she treated same his/her
> stamp equipment, and used the same standards before signing a gpgkey?

Then you could simply sign the notary's key and assign it full ownertrust. No
need to sign keys you verified by checking the notary's signature.

In fact, if I found out someone was uploading signatures to the keyserver for
which they did no more verification than checking the signatures made by people
they trust, I would immediately assign that person "I do NOT trust" in my trust
database. They are poisoning my Web of Trust! If I trust the notary as well, I
can also assign that person ownertrust and get valid keys through his or her
signatures. But if other people are signing keys purely based on the notary's
signature, they are meddling with my parameters "marginals needed", "completes
needed" and "max cert depth".

Suppose I have "marginals needed" set to 3. And 3 people I assigned marginal
trust did no more than verify the signature by the notary before signing some
key themselves. All the verification that has been done on the identity of the
person holding that key is done by a single person, the notary. But I see 3
people who supposedly have verified the identity. Also, if the signature path to
the notary is longer than the signature path to these 3 people, they have just
artificially altered my "max cert depth" by shortcutting the route that would
otherwise have gone through the notary, who actually did the verification.

The moral: I think it is a really bad idea to sign keys because you trust
already made signatures. That's what your trust database is for, use that. You
should sign keys because you verified the identity *outside* the Web of Trust.

All this only applies to exportable signatures. If you wish to make a local
signature on some key to make it valid, go right ahead. You're not meddling with
my Web of Trust that way. You might inadvertently meddle with your own, though!

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list