That sounds sincere coming from someone who calls himself "eli+" :-)
Nah, that would be "eli++". Or better, "++eli". Actually, this keeps CMU's overly-clever mail system from delivering my mail to an "Edward Lawrence Immelmann" -- it prefers initials to login names.
It's true that you don't need to talk to everybody. The problem is that I might want to talk to people whom I don't know personally, but know by reputation, or by function ("DEA Rat Hotline" -- well, maybe not).
Yes, that is a problem. That problem is one of the reasons that public key encryption was invented, actually.
But PK doesn't make the key distribution problem go away. This thread has been about a particular approach to PK key distribution, the web of trust, and how to model its behavior.
The way to know whether an untrusted key really belongs to someone is to wait for the response. Which means don't spill all the beans at once.
Generally insufficient. If someone is going to go to the trouble of a key-substitution attack, they're going to take the time to compose a plausible response. This approach is useful if the intended recipient *is* well-known to you. -- Eli Brandt eli+@cs.cmu.edu