[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signing our keys
-----BEGIN PGP SIGNED MESSAGE-----
In an interesting list message, Wonderer wrote:
>It seems to me that we have an interesting dilemma
>here. If we are willing to sign a key based on an
>entity that we KNOW does not really exist, then what
>does a signature mean?
Here's a terrific example of one of the interesting differences
between the PEM-style key hierarchy and the PGP web.
Consider that any entity (real or spoofed) can own a key pair in
either model. A PEM key is bound to a particular identity by a
certificate. Right now, you can only get these certificates from
entities that want some concrete evidence of your True Name; this
makes sense, since the certificate establishes that key X belongs to
True Name Y.
PGP, OTOH, doesn't have any direct equivalent of a certificate. If I
get Wonderer's key with no signatures, I can't guarantee anything
about the association between that entity and the key I get.
If I get that same PGP key with signatures from Phil Karn and L. Detwiler,
I know that they're willing to certify the assocation. Does that mean
anything? Well, it depends on who the signers are :)
A set of PGP signatures can be equivalent to a PEM-style certificate;
that is, the set of signatures on a key, establishing that a
particular key belongs to a particular entity, can potentially be as
trustworthy as a certificate from Dun & Bradstreet or RSA.
The PGP feature that a key doesn't have to belong to the True Name of
an entity is a big plus in my book; otherwise, we'd have no Wonderer,
no deadbeat, and no S. Boxx.
- -Paul
- --
Paul Robichaux, KD4JZG | Caution: cutting edge is sharp. Avoid contact.
Intergraph Federal Systems | Be a cryptography user - ask me how.
** Of course I don't speak for Intergraph. **
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQCVAgUBLNAJ2yA78To+806NAQF/DAQApsjQgIjW26GPvL2kINfCzTGyxn6zXJr9
OZVdLjPRe/J7eudxXfe5q7MlENxyomXgXqnUr5AxmTEjPzWCj63D1Yq2qr2Gcjq+
i7YTg8d9P+L+yTsTVUBk+ZIbBv+AFnD35yCEQnIC5nCE0kK644cpwa1FjDyLla01
2m4fvPNTOnM=
=ZF43
-----END PGP SIGNATURE-----