(in response to a topic mentioned in various threads) I agree that neither CA-verification nor WoT-verification is as useful as Key Fingerprint-verification for secure communication between crypto-aware individuals. After all, CA's can be subverted and WoT is probably best used as a back-up option when direct key verification is not possible. Key Fingerprints can be verified in both PGP and S/MIME, but neither system enforces it. I would prefer for Key Fingerprint-verification to be more central to the system. --- jamesd@echeque.com wrote: ...
The hierarchical verisign model is useful when one wishes to verify that something comes from a famous and well known name --that this software really is issued by Flash, that this website really does belong to the Bank of America. In this case, however, only famous and well known names need their keys from verisign. No one else needs one.
When one wishes to know one is really communicating with Bob,
it is best to use the same channels to verify this is Bob's key, as one used to verify that Bob is the guy one wishes to talk to. The web of trust, and Verisign, merely get in the way. ...
--- Eric Murray <ericm@lne.com> wrote: ...
And to be honest, exactly zero of the PGP exchanges I have had have actually used the web of trust to really verify a PGP key. I've only done it in testing. In the real world, I
either verify out of band (i.e. over the phone) or don't bother if the other party is too clueless to understand what I want to do and getting them to do PGP at all has already exausted my paticnce. ...
===== end Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com