Signing our keys

Paul Robichaux paul at poboy.b17c.ingr.com
Thu Oct 28 11:08:08 PDT 1993


-----BEGIN PGP SIGNED MESSAGE-----

In an interesting list message, Wonderer wrote:
>It seems to me that we have an interesting dilemma
>here. If we are willing to sign a key based on an
>entity that we KNOW does not really exist, then what
>does a signature mean? 

Here's a terrific example of one of the interesting differences
between the PEM-style key hierarchy and the PGP web.

Consider that any entity (real or spoofed) can own a key pair in
either model. A PEM key is bound to a particular identity by a
certificate. Right now, you can only get these certificates from
entities that want some concrete evidence of your True Name; this
makes sense, since the certificate establishes that key X belongs to
True Name Y.

PGP, OTOH, doesn't have any direct equivalent of a certificate. If I
get Wonderer's key with no signatures, I can't guarantee anything
about the association between that entity and the key I get. 

If I get that same PGP key with signatures from Phil Karn and L. Detwiler,
I know that they're willing to certify the assocation. Does that mean
anything? Well, it depends on who the signers are :)

A set of PGP signatures can be equivalent to a PEM-style certificate;
that is, the set of signatures on a key, establishing that a
particular key belongs to a particular entity, can potentially be as
trustworthy as a certificate from Dun & Bradstreet or RSA.

The PGP feature that a key doesn't have to belong to the True Name of
an entity is a big plus in my book; otherwise, we'd have no Wonderer,
no deadbeat, and no S. Boxx.

- -Paul


- -- 
Paul Robichaux, KD4JZG     | Caution: cutting edge is sharp. Avoid contact.
Intergraph Federal Systems | Be a cryptography user - ask me how.
	    ** Of course I don't speak for Intergraph. **


-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLNAJ2yA78To+806NAQF/DAQApsjQgIjW26GPvL2kINfCzTGyxn6zXJr9
OZVdLjPRe/J7eudxXfe5q7MlENxyomXgXqnUr5AxmTEjPzWCj63D1Yq2qr2Gcjq+
i7YTg8d9P+L+yTsTVUBk+ZIbBv+AFnD35yCEQnIC5nCE0kK644cpwa1FjDyLla01
2m4fvPNTOnM=
=ZF43
-----END PGP SIGNATURE-----






More information about the cypherpunks-legacy mailing list