Managing Subkeys for Professional and Personal UIDs

Robert J. Hansen rjh at sixdemonbag.org
Sun May 4 10:30:23 CEST 2014


> That practice is the same as asking you to sign blank sheets of paper so
> they can later write on them what they like.

The better comparison is to the autopen.  And if that's good enough for
President Obama...

The autopen is a machine that replicates a physical signature.  That's
pretty much a perfect analogue to what we're talking about here: should
it be possible for a third party to recreate your digital signature?

Should it be possible for a third party to recreate your *physical*
signature?  That one has been conclusively answered 'depending on the
circunstances, yes!' time and time again.  Consider the President as an
example: he may wish to sign a piece of legislation but he's
unfortunately unavailable for signatures.  Instead, he contacts a
trusted secretary and orders the secretary to autopen his signature on a
document -- said signature, since it is made on his behalf (even if it's
physically made by a machine operated by a third person), being just as
legally binding as if he himself had written his signature.

Are there good business reasons for third party escrow of signing keys?
 Quite probably.  If you can think of a situation where an autopen is
appropriate, whether in business or in government, that's also a
situation where third-party escrow of signing keys would also likely be
appropriate.



More information about the Gnupg-users mailing list