[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Senator Leahy's Public Key



-----BEGIN PGP SIGNED MESSAGE-----

> > Actually, I've been thinking about this, and how do we *really* know that
> > *anyone's* keys are actually theirs?  I'm new to this list and have been 
> > collecting some of the keys from people who post with PGP signatures, but 
> > even at that, I never certify them myself because I am not 100% absolutely
> > certain that the key in question belongs to that person.  After all, what
> > if some clever hacker dropped in and replaced someone's .plan file, or 
> > edited their index.html file?  There's no real way to be absolutely 
> > certain.
> 
> This is exactly what the web of trust is about.  The fact is that you
> can't trust the Keyservers (they were never designed to be trusted);
> you can't trust .plan files; you can't trust index.html files.
> However you can trust signatures made by trusted keys.  That is why
> the web of trust works.
> 
> For example, I've met in person with a lot of people and we've signed
> each others' keys.  We've used various methods to "prove" identity.
> Sometimes it's been a long time of personal interactions (close
> friends).  Sometimes it's been a number of certifying documents, IDs,
> etc.  Sometimes it's been a piece of knowledge that I know the other
> has but no one else has.

The problem is entering this "Web of trust".  You have to know someone who
is already in The Web in order to start signing your keys.  I don't know
anyone around here who uses PGP but me.  That's why I've been getting
keys off of this list.  Gotta start somewhere, however, I feel that this 
is a very shaky way to start.

> The point is that once I'm attached to the web of trust I have a means
> to verify other keys.  I can set up a CA that way (MIT has one) --
> there is a keysigner that will use out-of-band means to verify the
> identity of a user and then use that to sign a PGP key in that
> person's name.

I agree that once the WOT is set up, everything should work hunky dory, but
introducing yourself into this web isn't an easy thing.  Since we know that
the keyservers aren't bulletproof, how many keys do I grab from there in 
order to start my keyring?  One?  Ten?  500?  Statistically speaking, how 
many of those have been compromised and can no longer be trusted?

> You just need to look at it from a different angle.

That's what I'm trying to do.  Maybe I'm just looking at it all backwards 
or something, but it's something I've been thinking about since I've been 
collecting keys lately.

> -derek

- -- 
Matt Smith - [email protected]
"Nothing travels faster than light, with the possible exception of bad news, 
which follows its own rules." - Douglas Adams, "Mostly Harmless"
Disclaimer:  I came up with these ideas, so they're MINE!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMZH8YcWUKiYjg/fZAQFk+QQA047pGZizSijPPBksY8nmZTQLdwaOene4
uO5p/ykHfPull03gzvYJ8ueDLlmttqSaf6y2e63RDgLNh5m8K0q88vOzkd0qQ+qf
LxC2ZVmGk3eIsRG9KLFdRMrPsJ0hmo/AfZ8DwF6SUz8+KXbxIHcN0LjTx4XBKIqz
wkpcnF0nLAM=
=Gd3m
-----END PGP SIGNATURE-----