[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Migrating to GPG - A mini-HOWTO

Michael Meskes <meskes@debian.org> writes:

> On Tue, Sep 14, 1999 at 09:21:22AM +0100, Philip Hands wrote:
> > Are you saying that people should sign keys received via e-mail,
> > rather than face to face ?
> > 
> > If so, I'm strongly against this.
> 
> Why?

I'd have hoped that that was clear by now, but I'll go for it one more
time because if people start signing keys on any other basis than ``I
saw the person, I saw and was convinced by their ID, and they gave me
their key's fingerprint'' then we might as well throw our web of trust
in the bin.

...
> Yes, I can revoke my key once I notice this. But the compromiser can also
> create a new key for me and revoke the old one for me. So I have no access
> anymore to my own PGP key as well. Where's the difference with the GPG keys?

This is exactly right.

So once this has happened we have two possible scenarios:

1) People adopt your ``sign any key signed by the old key'' approach,
   in which case the evil key stealer will have the new key signed by
   loads of people you met once, and their adoption of your identity
   will be complete.

2) People only sign the new key if YOU physically prove that it is
   your key, in which case the evil key stealer will only have your
   signature on the new key.
   Meanwhile you will be able to generate a new key, and get it signed
   by some other people, thus recovering your identity, since your key
   must be the one that has other people's signatures on it.

I know there is some pathetic kudos about how many signatures you have
on your key, but if none of them are real signatures what good does it
do us ?

If a digital signature is enough to prove the provenance of a key
(which under normal circumstances it is) then the fact that you've
signed your new key with your old key is all we need to extend the web
of trust to the new key.

If that key is in fact compromised, and we are suspicious about
something signed by it, then we can look at the signature list and
find that it only has one signature on it, which gives us some useful
data about how trustworthy it is.  If people were to adopt the
approach that they'll sign any key purporting to be from the people
they've signed keys for already, then the fake key will soon have all
the same signatures as the old key, and we have no way to tell the
difference.

Personally, if I discover that a person have been signing keys without
physical independent proof of identity, I'll be setting that signer's
key's trust level to ``never''.  I'd hope the same goes for the
project as a whole.

Cheers, Phil.
Reply to: