-----BEGIN PGP SIGNED MESSAGE-----
Zimmermann clearly understood all of this, but I don't think he documented it properly. In my opinion, everyone should always think in terms of man-in-the-middle attacks when signing a public key. Mandating "True Names" is just an overconservative approach suitable for people who don't fully understand the issue.
wilcoxb> My point exactly. My post "Stop Fixating on True Names" was wilcoxb> an attempt to clarify things to said people. Then you didn't clarify very well; to wit: wilcoxb> Okay now does anyone want to do any of the above two things wilcoxb> to me? If not then *don't* *worry* about whether my public wilcoxb> key is signed by anyone or not. It makes zero difference to wilcoxb> you until such a time as one of the above motivations wilcoxb> acquires. wilcoxb> Zimmermann et al. were/are naive to emphasize the Web of wilcoxb> Trust as a means of introducing strangers. The first paragraph clarifies nothing because it is dead wrong; the second because it is arrogant, offensive, and dead wrong. wilcoxb> From this perspective, the Web of Trust is the soul of wilcoxb> public-key cryptography. From the other perspective ("Never wilcoxb> ever sign a key which you got off of a bulletin board!" wilcoxb> warns "pgpdoc1.txt") it is a cute anachronism. The Web of Trust is a means of thwarting active attacks; nothing more, nothing less. "Perspective" has nothing to do with it. Given that active attacks are hard to explain and understand fully, the PGP docs are correct to advocate a conservative approach to signing keys. Novices *should* be taught to take the Web of Trust seriously. (Yes, I am retracting my own statements quoted above; the more I think about it, the more I think it is very hard to teach a novice the details of active attacks.) Moreover, I suspect that active attacks are more likely today than when those docs were written, which makes their advice precisely the opposite of an "anachronism". -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMDpleHr7ES8bepftAQE0KgQAoAg5QeXwbtZzKMliNH63f3Ewvxz1g8gR vlTPwZ8YRWANxFFbhN03DMo6HQI78f/8VnbvOB8osZz/aLQgmyuw6Q201vfHbbtu gKpfLBPLu/Cl2JEk6FK58IYyvrTPZ7XKfp80LoRIby/pSU2uL7K2+7vfjGWGvjvY V9s9mJUCGN8= =OBD5 -----END PGP SIGNATURE-----