Re: Secure Key exchange

[pfarrell@cs.gmu.edu (Pat Farrell)]

Bob Stratton suggests we hash out ideas on key signing prorocols. Ok, here
is what I do:

I sign keys only when I am certian that the key belongs to the human who
claims to have the name on the key. There are not a lot of keys signed
by me floating arround, maybe six total. My sig does not mean that the
key is not owned by a cop or NSA/CIA/KGB agent (Unlike Edgar's service) 
because I can't tell. So if you care about that stuff, start your
own web of trust with "higher" standards. My sign doesn't mean
that the person is really who they claim to be, I can't tell
that either. I've signed the key of a guy claiming to be "Ray
Kaplan" because I believe that he uses that name reegularly.
But I don't know that his name isn't really Boris Badinov.

You won't find my sig on Phil Zimmermann's key,
even tho that is a popular activity. Phil is a Net/Ether
person to me. My sig means that there is a real person with 
that name. I was at NCSC and exchanged keys there. I'll be
at CFP-3 and exchange keys there too. And if you are in my
area, (suburban Wash DC) we can meet and exchange keys.

I see no reason to hurry. A slowly growing web of trust that
is strong is far more useful than an exploding web of trash.

Pat

Pat Farrell,      Grad Student                       pfarrell@cs.gmu.edu
Department of Computer Science, George Mason University, Fairfax, VA
PGP key available via finger or request           #include standard.disclaimer
Write PKP. Offer money for a personal use license for RSA.