Delete key from keyserver

zvrba at globalnet.hr zvrba at globalnet.hr
Wed Oct 26 23:04:16 CEST 2005


On Wed, Oct 26, 2005 at 08:01:15PM +0100, Neil Williams wrote:
> 
> I wouldn't sign the email only one because an email address can be accessible 
> to more than one person. If I'm encrypting to this key, I want to know to 
> WHOM I am writing.
> 
In some cases you can't to WHOM you are writing. What if you are writing
to e.g. some company's helpdesk? They use a generic email address like
helpdesk at some.company.com, and all employees (possibly more than one)
share the same key? What purpose has the "real name" in such case?

>
> You do not sign for your own benefit but to assist others. It is other 
> people's perceptions of the act of signing that are important.
> 
I argue then that the current perception is flawed [I dare not say wrong.]
Apart from legal business, I really do not care whether you are "the real"
Neil Williams.

Take for example another figure: Werner Koch. I do not know and do not
care whether he's "the real" WK when checking GPG releases. What is
important to me that the new GPG release is signed with the same key as
some old release. In this case my trust into the new release is not
based upon the "real" identity of the key owner, but on the reputation
of the GPG software itself..

To put more clearly my idea of "trust": certain email addresses[1] build
some sort of "reputation" in my view (e.g. as WK is with GPG). What the
signature tells me is that I'm dealing with the same entity behind the
email that already has built up some reputation. "Reputation" can be
applied not to individual persons but also to more general entities like
helpdesks, etc.

[1] I deliberately do not say persons

> 
> The real name always matters. email-only verification is pointless - it 
> doesn't strengthen the web of trust.
> 
On the contrary, I think that the real name almost never matters, except
in legal cases where at least one party is concerned about possible future
litigation. I don't see GPG either designed for such a purpose or any
country's laws acknowledging GPG signature as legally valid.

> 
> So sign it locally. By signing it with an exportable signature, you are trying 
> to indicate to ME that you have verified the identity of that person, not 
> just the email account.
> 
I'm curious why is everyone so obsessed with "face to face" verification?
I mean, the only useful case for face-to-face verification is:

1. you have somehow learned my real name ("Zeljko Vrba")
2. you don't know my email address, or you have perhaps found it on the
   same place as my real name
3. you want to send some encrypted data to me

Key signing in this case helps only if someone is actively trying to
impersonate me.

But.. <paranoia to the maximum>: how do I know that the current WoT and
keyservers are not totally fake? Given almost any key, I can't find a path
that leads to some person that I trust. What gives..?

I rearranged a bit this mail...

> 
> A signature is a *public* testimony that you have verified this person.
> 
> BTW. Knowing this in advance, I would not sign your key even if I could verify 
> your physical identity, fingerprint and email address. It would send the 
> wrong signal to those who already know me.
> 
Aren't these two statements a bit contradictory? What "wrong signal"?
It's the other people's decision whether to trust Alex's key signatures
based on what he has said up to now..

Uf, it's late, probably I can elaborate more clearly on this tomorrow.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20051026/2fdfe0d3/attachment.pgp


More information about the Gnupg-users mailing list