From: Tom.Jennings@f111.n125.z1.fidonet.org (Tom Jennings)
Not my worry. What I meant was, how do I know htat the keyfile I received from "John Smith @ net address" really is his, and not some faker. Short of physically getting key disks from someone face to face (flatly im-possible here), I don't know.
This is like asking "how do I get a bullet to stop in mid air and launch itself back into the bullet casing in the breech of the gun". You don't. Obviously, the only way to trust a key enough to certify it is to actually get it in person and verify identity. This is often impractical, but so what? If people want to communicate and the only assurance your signature gives them is that you got a copy of the keys by email, they might as well just email each other they keys and live knowing that the messages they are sending are to possibly non-securely identified people. Signed introduced keys should be reserved for times when you can actually add real information by claiming the key is really owned by the person who claims it. This does mean that a lot of the time until people have built up catenative assembleges of keys sufficent to form a "chain of trust" for unknown people that they will simply have to do without certification of the other person's identity. Isn't that the way life usually is, though? Perry