Wednesday 16 July 2008

OH MY GOD!

This can't be true! How can someone trust such a key?

Does anybody have a reasonable explanation for such an abomination?



Update: It seems it is unclear to some people what is the problem with this key. There are multiple identities (apparently different people) for the same key. So, in layman's terms, multiple different people are using exactly the same key to certify their identity.

I really don't understand how this could work in real life. Maybe is a case of misunderstanding what gpg is about?

7 comments:

Anonymous said...

I assume your complaint relates to the large number of signatures by people in the same domain?

Anonymous said...

I would trust it, if I knew the second, the fourth and the seventh signer of his key.

I would use a similar criteria if he had signers from @debian.org, @ibm.com and @microsoft.com.

It all depends on your web of trust, doesn't it?

Anonymous said...

Anonymous cannot be trusted to understand anything...

All those signatures are signatures with the key itself (self signatures). Problem is that same key has multiple uid (user identities).

There is no need to say anything about web of trust because there is only one key involved. Note that 'key' column lists the id of the key for each uid entry.

Anonymous said...

One of these people must suffer a dissociative identity disorder...

Anonymous said...

What an obtuse interface for showing signatures. Nothing in that screenshot makes it obvious that those represent self-signatures rather than signatures from other keys.

Yes, having identities for different people on the same key seems insane.

Unknown said...

I'm a noob to PGP and key signing, but why would someone sign his own key?

Anonymous said...

Anonymous said...
Anonymous cannot be trusted to understand anything...


A nice, self-referencing statement ;-)

All those signatures are signatures with the key itself (self signatures). Problem is that same key has multiple uid (user identities).

I didn't notice that from the screenshot. I would have noticed if I had tried to sign the key, since gpg makes the problem explicit (try to sign that key with gpg and you'll see).

Still, I come back to the web of trust: As long as nobody I trust has signed that key, I won't trust it. Now if somebody I trust had signed an individual user ID, I might trust that user ID (but none of the others). Why not?

If somebody I trust had signed all user ID... I certainly shouldn't trust that person any longer ;-)