Sarad AV wrote:
Now, how do we know which key distribution authority and which certifying authority to trust? Isn't this going to be a problem? Trust doesn't seen to work as well as it used to.
Trust has *never* worked in that sense - the WoT only really works inside strongly connected sets (less than one in five of keys I have obtained from the pgp keyservers have a signature from someone I would trust to introduce people to me) and commercial CAs have always been both lax in their checking (although a *little* more than "the check clears") and happy to "co-operate" with law enforcement requests. However, in a more limited sense, trust *does* work - I can rely on keys I have checked myself, and have a limited number of people spread across the world whose signatures I will trust to indicate they have done the required checking themselves. Of course, now that the commonly accepted hashes are suspect, I have to wonder about the viable lifespan of a signed key...