trust your corporation for keyowner identification?

Stan Tobias sttob at
Thu Oct 24 01:15:04 CEST 2013

Peter Lebbing <peter at> wrote:
> On 23/10/13 19:26, Stan Tobias wrote:
> > The paradox is removed when we realize that the notary's signature is
> > not a statement about the identity of the person.
> I strongly disagree. The paradox is created by the fact that you screw
> up my Web of Trust parameters by signing stuff based on other people's
> OpenPGP signatures.

No, there's no paradox.  Any liar will screw your parameters.  Notary's
signature is only accidental; it doesn't matter whether someone bases
his certification on tarot, clairvoyance, dowsing rod or some else's
signature - neither of these allow to draw conclusions about the usage
of the key.

> > One may assume the
> > corporation's proper personal identification, but one cannot derive from
> > the notary's signature the person's willingness to use the key (iow -
> > ownership of the key).
> I don't see how willingness is ownership in other words. 

I use these interchangeably.  A user of a key is normally called "key
owner" (I think).  You become a key owner when you create a key (pair)
and decide to use it (where using implies protection of secret part,
appropriate uids, etc).  You may create a key pair for fun, but without
your will to use it that key does not "represent" you, iow you're not the
"owner" of the key.

> But since I wouldn't sign a key where the owner didn't give me the
> Key ID theirself, it would indicate willingness. Even stronger, it
> wouldn't even indicate ownership: they could have given me the Key ID
> of a key where somebody else, the real owner of the key, made a User
> ID with their name in it. I can't verify ownership: even if I see them
> making a signature right before my eyes, they could secretly be talking
> to an automated service somewhere that actually makes the signatures,
> and they might not have access to the key at all. I wouldn't go so far
> as to stick them in a Faraday's cage to ensure they can't communicate
> with the real owner of the key.

I don't quite follow your thoughts.  But maybe this will better clarify mine:
If I saw X create a key pair right before my eyes, with appropriate uid
"Mr X", with a long password, with evidence he can encrypt/decrypt/sign,
on a disconnected computer, and in a Faraday's cage, in an underground
bunker; but if he didn't express to me his *will* to use the key,
I would *not* sign it.

Whether a key owner "shares" his key with someone or something else,
is irrelevant.  You cannot prove it, he may start "sharing" later, you
have no control over it.  I'd say it's his responsibility and his fault.
Anyway, this information is not part of your certification (you don't
certify that he uses his key correctly).

(Below is an extension to the above discussion, and a kind of
counterpoint, where I actually do try to find a paradox.  I like to
argue with myself.)

> > 1. Corporation establishes identity and signs the X's key.  Then, X
> >    e-mails you "I use key 0xABCDEFGH".  The message is signed with the
> >    same key.  Can you sign his key?  There's no reason to disbelieve
> >    the identity (established by the corporation).  The question whether
> >    to believe the authenticity of the message seems to hinge on the
> >    truthfulness of the corporation's certification (Have they signed
> >    the right key?  Are they pulling some joke?).
> > 
> > 2. Same as 1., but X's key is also signed by a few of your good friends,
> >    who have personally checked X's ownership of the key - the probability
> >    of foul play is infinitesimal.  Would you sign now?
> > 
> > 3. Your own cert is involved.  You sign X's key K1.  Then X sends you
> >    "I also use key K2" signed with K1.  Will you certify K2?
> Only 3. would perhaps qualify for a signature, in my opinion. 

:-|  Hmm... I dunno.

> The other 2 are
> food for your trust database or perhaps local signatures, not for exportable
> signatures.
> I should add that signing a message that says "I use 0xABCDEFGH" with
> that same key is a bit silly.

The common thread behind these cases is that X announces (more-or-less
directly) to you his usage of a key, but his communication is
authenticated only by WoT.  In case 2. signing his key is somewhat similar
to what we were discussing above: the certs are not actually the reason
for you to sign, but they are the reason why you believe it is X who is
communicating with you, and the *only* reason.  If you don't think it's
enough to certify his key (at which point does it happen?), then why do
we believe WoT authenticates anything?  Why do we accept, for example,
a conversation by telephone to validate a key fingerprint?

But then cases 2. (2a) and 3. differ basically by your cert being
included in the set.  If you wouldn't certify in case 2., why would you
in case 3?  But then again if you wouldn't certify in case 3., then don't
you believe your own certification?  Or the safety of the communication?
So what do we sign messages for in the first place?

Case 3. is unlike the others in that two X's keys are present (it
couldn't be constructed any other way); for completeness, it might be
worth formulating one more intermediate case:

2a. Same as 1., but X's key (K1) is also signed by a few of your good friends,
   who have personally checked X's ownership of the key, and X sends you
   "I use K2" signed with K1.  Would you certify K2?

If for some reason you would sign in cases 2a and 3, but not in case 2, X
could trick you: sends you "I use K2" signed by K1 (K1 certed by friends
which you trust), and you sign K2.  Then X sends you "I use K1" signed
by K2 (certed only by you yourself), and you sign K1 (case 3).  K2 may be
revoked now.

>(By the way, hex goes to F ;P). 

I know.  No keys were harmed in the making of my post.  :-)

Too long - sorry.

More information about the Gnupg-users mailing list