-----BEGIN PGP SIGNED MESSAGE-----
Actually, I've been thinking about this, and how do we *really* know that *anyone's* keys are actually theirs? I'm new to this list and have been collecting some of the keys from people who post with PGP signatures, but even at that, I never certify them myself because I am not 100% absolutely certain that the key in question belongs to that person. After all, what if some clever hacker dropped in and replaced someone's .plan file, or edited their index.html file? There's no real way to be absolutely certain.
This is exactly what the web of trust is about. The fact is that you can't trust the Keyservers (they were never designed to be trusted); you can't trust .plan files; you can't trust index.html files. However you can trust signatures made by trusted keys. That is why the web of trust works.
For example, I've met in person with a lot of people and we've signed each others' keys. We've used various methods to "prove" identity. Sometimes it's been a long time of personal interactions (close friends). Sometimes it's been a number of certifying documents, IDs, etc. Sometimes it's been a piece of knowledge that I know the other has but no one else has.
The problem is entering this "Web of trust". You have to know someone who is already in The Web in order to start signing your keys. I don't know anyone around here who uses PGP but me. That's why I've been getting keys off of this list. Gotta start somewhere, however, I feel that this is a very shaky way to start.
The point is that once I'm attached to the web of trust I have a means to verify other keys. I can set up a CA that way (MIT has one) -- there is a keysigner that will use out-of-band means to verify the identity of a user and then use that to sign a PGP key in that person's name.
I agree that once the WOT is set up, everything should work hunky dory, but introducing yourself into this web isn't an easy thing. Since we know that the keyservers aren't bulletproof, how many keys do I grab from there in order to start my keyring? One? Ten? 500? Statistically speaking, how many of those have been compromised and can no longer be trusted?
You just need to look at it from a different angle.
That's what I'm trying to do. Maybe I'm just looking at it all backwards or something, but it's something I've been thinking about since I've been collecting keys lately.
-derek
- -- Matt Smith - msmith@unislc.slc.unisys.com "Nothing travels faster than light, with the possible exception of bad news, which follows its own rules." - Douglas Adams, "Mostly Harmless" Disclaimer: I came up with these ideas, so they're MINE! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZH8YcWUKiYjg/fZAQFk+QQA047pGZizSijPPBksY8nmZTQLdwaOene4 uO5p/ykHfPull03gzvYJ8ueDLlmttqSaf6y2e63RDgLNh5m8K0q88vOzkd0qQ+qf LxC2ZVmGk3eIsRG9KLFdRMrPsJ0hmo/AfZ8DwF6SUz8+KXbxIHcN0LjTx4XBKIqz wkpcnF0nLAM= =Gd3m -----END PGP SIGNATURE-----