[Enigmail] New to Enigmail and having a question about the validity of signatures

Robert J. Hansen rjh at sixdemonbag.org
Wed Mar 12 12:10:22 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

(bcc'd to a couple of friends who are not on the Enigmail list whom I
feel may be interested in the subject.)

Luke Chen wrote:
| There doesn't seem to be a central Certificate Authority for validating
| the public keys. How do I know if I can trust the signature from a
| particular address?

This is an excellent question, and one that does not get asked enough.
It also has the potential to give us a much-needed boost to our
signal-to-noise ratio!  :)

I'll answer it first in anecdotal form, and then in a just-the-facts
form.  After that there will be a pop quiz for the newbies.  The purpose
here is not, _is not_, to make anyone feel dumb or stupid--it's only to
get people thinking critically about the issue.  :)



=====

I have a friend whom I have known online and offline for a few years
now.  In the course of knowing him I've accumulated evidence that he's
being honest about his name.  I believe his judgment is generally good
and he has personal integrity.  I make a personal decision to trust him
not to screw me over.  I call him and have him verify his key
fingerprint.  Now that I am assured I have his key, I sign it and make
it valid for me.

That signature reflects three distinct judgments:

	1.  He really is who he says he is
	2.  I can trust his character
	3.  I have a correct copy of his key

Now when I receive mail claiming to be from him, if I get a good
signature on the message I can be confident that the message is
authentically from him.

I have also discovered his signing policy is at least as stringent as
mine.  He will not sign a key of someone whose identity he has not
confirmed, or a key of someone he does not trust to deal fairly.  After
reflecting on this for a while, I determine that not only do I trust him
to deal fairly with me: I trust his judgment in the people he trusts to
deal fairly with /him/.

In real life, if he asked to borrow my car, I'd shrug and fish out my
keys.  If his Significant Other asked, I'd shrug and fish out my keys,
too... while I barely know her, he trusts her and I trust his judgment,
so I don't see why I shouldn't let her borrow my car.

Similarly, if someone whose key he signed were to send me a
correctly-signed email, I would want it to show up as a good signature.
~ The same logic applies.  Once I realize this, I set his key up as a
trusted introducer.

======

"How do I know if I can trust the signature from a particular address?"


	1.  Are you confident the name on the key corresponds to a real
	    person?

	2.  Are you confident the person in question is not trying to
	    trick you?

	3.  Are you confident you have a true copy of this person's key?


... If the answers of 1-3 are "yes", then sign with confidence and send
your signature to the server.  If any of them is "I don't know", then
you may wish to give a local signature--a signature which exists only on
your keyring, which cannot be shared with others.  If any of them is
"no", then _do not_ sign or locally-sign the key.

Once you have signed or locally-signed the key, you may wish to consider
the fourth question:


	4.  Do you trust this person's judgment and reliability when it
	    comes to checking other people's keys?

... If the answer to 4 is "yes", then give a trust signature with
confidence.  If it's "I don't know" or "no", then don't.

=====

Pop quiz!  All answers must be justified.



Part 1: Basic Trust Skills (Short Answer)

Search for keya 0xFEAF8109, 0x5B0358A2 and 0xCCEC227B.  Answer these
four questions for each key.

	1.  Should you sign this key and make it valid?
	2.  Stipulate the key belongs to the person it claims, and that
	    the key is correct.  Should you now sign it?
	3.  Do you trust the person named in the key?
	4.  Should the answers to #2 and #3 have been the same?


Part 2: Advanced Trust Skills (Short Answer)

	1.  Do digital signatures create a trust relationship, or do
	    they only reflect an already-existing trust relationship?
	2.  Do digital signatures serve any purpose in the absence of
	    an already-existing trust relationship?
	3.  Should you know all the root authorities your operating
	    system trusts?
	4.  Why do you trust your OS vendor to decide which root
	    authorities are trustworthy?




I would politely ask that people who can easily answer these questions
hold off until Friday--let's let the newbies mull these questions over
in peace.  :)

Man, I miss teaching Computer Literacy...  :)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJH2CiwAAoJELcA9IL+r4EJTVcH/2kfUDJpB4MTx24bseZ9KvOp
TRsvLLMACDXr6eGyIW136y86p1RcU0ONLv0/To1SlzMXkGIha4788HkfwbFWUwBR
7MLFWJtzIkxuyNN5druNcIDc9bzwhrqOU0fLTl1y42ZFvDZPxnJ9Sc3sIVCcHWFg
G0zHS6NPXGIjLAQaJ6lVlQmbQS4Y3G29QekQuf4qfGMrjea5ZCi59ZoRaSjav2I9
gh7G7IYhtln1MjCVPQBbT3M2ptri2oL4GAZO7NVigCLFdJipbvBtHYjJ6MTuSJdK
0MkZ/06GvSQzgb6mcMdHWs72m8vq8lBmoLJlcY35DvlmAs1exBg69ILUMszW7f8=
=8dVn
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list