[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning without physically meeting ... thoughts?

On Sun, Jun 12, 2005 at 11:49:29AM +1000, Brian May wrote:
> Can I please ask the blindingly obvious question that is so obvious
> nobody has asked?

> What is the point of keysigning? 

> What are we setting out to achieve?

- To authenticate a person's real-world identity
- To verify that the person so identified controls a specific email address
- To verify that the person so identified controls a specific PGP key

> Ok, so I get my key signed, using what I believe to be the standard
> process[1][2][3][4][...]:

> 1. I claim to be "Brian May". I have a passport that proves that I am
>    in fact "Brian May". I have a drivers license that proves that I am
>    "Brian May". The photos are identical to what I look like. Assume
>    none of these are forged. I suspect many people would not be able
>    to tell a forgery, even if it technically is illegal. Often the
>    photo looks nothing like the person (due to shave, glasses, hair
>    style, etc). In this case though, I am very convincing that I am
>    Brian May. People who know me and see me can also confirm this.

> 2. I claim key-id 00530C24 with fingerprint 9918 7E12 ABAF 54EA 9C9E
>    27A5 B828 A71C 0053 0C24 is mine. In fact, numerous people have
>    already signed this key for me.

> 3. You obtain a copy of my key with the following UIDs, and sign all
>    of them:

>    Brian May <brian@snoopy.apana.org.au>
>    Brian May <brian@microcomaustralia.com.au>
>    Brian May <brian@debian.org>
>    Brian May <brian@ivt.com.au>
>    Brian May <brian@sws.net.au>

>    (note: assume for this keysigning I deleted my old UIDs and added
>    several new ones that I should have added several years ago).

> 4. Either:

>    a) You send a copy of my key, to me, to the first address[1].

>    b) You send a copy of my key, encrypted using my key, to the first
>       address. Do this if I you know I want to keep my public key
>       private[2]. Or do this if the key signing session was a "smaller
>       group"[3].

>    c) You upload to a key server. Do this only if you know I want the
>       public key to become public[2], or if keysigning wasn't a
>       "smaller group"[3]. Or just do this anyway[4].

>    I have heard various reasons why each alternative is better then
>    the other alternatives. Read the references.

> Is this process "correct"? Or did something go seriously wrong here?
> If it was correct, why was it correct? If it was wrong, why was it
> wrong?

Many people consider all of options a), b), and c) to be inappropriate, and
will instead encrypt each of the uid signatures individually and mail them
to the corresponding email address, to verify that you control each address.

> Assume this key isn't already in the Debian keyring (it is),
> but I am an existing Debian Developer. If you were the Debian
> administrators, would you have any problems adding this key to the
> Debian keyring?  What if I only supplied my Debian UID, and my public
> key was otherwise private?

I'm not sure I understand the question.  What problem *should* anyone have
adding such a key to the keyring?  As a keysigner, I'm concerned about not
signing uids that assert email addresses you don't actually control, but as
a keyring maintainer, it would be very difficult to assert that you *don't*
control one or more of those email addresses; unless you send a key that has
a fraudulent debian.org address on it (or other bogus address which I know
is fraudulent), I don't see why there would be an issue here.

> So after having my key signed, I get my name legally changed to "John
> Doe". As such, I get my passport, etc, reissued under "John Doe". Does
> this suddenly mean my key is invalid? If so why? What if my email
> address of brian@snoopy.apana.org.au was still valid? Would it be OK
> to sign a UID for "John Doe" if the UID was "Brian May
> <brian@snoopy.apana.org.au>" or "John Doe
> <brian@snoopy.apana.org.au>", but I didn't have any proof of ever
> being "Brian May"?  Why/Why not?

It would be ok to sign John Doe <brian@snoopy.apana.org.au>.  It would not
be ok to sign Brian May <brian@snoopy.apana.org.au>.  A signature is a claim
that the name in the UID corresponds to the real-world identity of the
person who controls the key; which, by virtue of your name change, would no
longer be true.

I have had people offer me keys for signing before, where the name on their
state ID and the name on the piece of paper they gave me didn't match the
name on their PGP key.  I didn't sign those keys.  While I could say that I
have some ephemeral trust path to the owner of that key, none of the uids
present on the key were suitable for me to express this to other people.

> What if my past email address was something cryptic, like
> xyz12432@snoopy.apana.org.au, how would you know if this was suppose
> to belong to "Brian May" or "John Doe"?

Why does that matter?  You sign it, or don't, based on the name part of the
uid; and if you want to additionally verify that the person controls the
email address, you encrypt the signature and send it to that address.

> What if I got my name legally changed to "Branden Robinson"? Shouldn't
> I be able to get my key signed? Just because my name happens to be the
> same as some other person on this planet...

Of course you should.  Has someone said you shouldn't?

> Or would it be better if I invented an alias? Then my key ID wouldn't
> match my legal ID.

*Why* would that be better?

> What if everyone knows me by an alias, but I haven't/don't want to
> change my legal name? "Rusty Russell" is one well known example. If my
> key uses my real name, people may not realize it is me.

Why is that a problem?  People will either come to terms with the fact that
your common name doesn't match your legal name (and thus doesn't match the
name on your PGP key), or they won't.  If you're worried that they won't,
get your name legally changed?

> I can't help but wonder if we have become to obsessed with signing a
> key to a particular name, that we have lost track of what we are
> trying to achieve. Just because the name matches (or is almost
> identical) does not mean it is the same person. Even if this key has
> hundreds of trusted signatures and the name is identical, it still
> doesn't mean it must be the same person.

Certainly, it doesn't mean that they're the same person.  Who has asserted
that this is the case?  Just because there may be more than one person with
the same real name using PGP doesn't invalidate the practice of ensuring
that the name on a key is the same as the person's real name.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: