From: J. Michael Diehl <mdiehl@triton.unm.edu>
Lets say someone emails me a key and the return address matches that of the address in the key. Do I assume no one is spoofing me? You have to admit that this is possible albeit unlikely. What good is key certification if it only "probably valid?" I've noticed that many of the keys on the server are signed with the same person's key. I doubt that these people have had physical contact with each of the people who's key that they've signed. Am I just being paranoid, or is there a valid issue here? I welcome any of your comments.
Anything is possible. It's best to play it VERY safe when it comes to certifying or accepting keys. The ideal thing is to accept only keys that have been signed by a key you know to be good. Start with a key that's been handed to you personally (or that you are absolutely certain is legit), and work from there. Some folks (bless them) have signed oodles of keys and are very trustworthy; if you can work through the web to them eventually (being careful along the way about who you trust as a certifier), you'll eventually have a windfall. No, most people on the public servers have probably not met face to face; they've worked their way to each other using trusted signatures and certifiers. Just be careful about who you trust. --Dave.