At 9:17 3/30/94 -0800, Hal wrote: ...

In other words, if I want to communicate with joe@abc.com, I can only do so if one of the signators of his key is a person I know. If not, I have no way of judging the validity of his key.

This belies simple interpretations of the "web of trust". I may have signed A's key, A has signed B's, B has signed C's, C has signed D's, and D has signed Joe's, but this is of no value unless I know D. Only then can I trust Joe's key.

Ideally, perhaps in cyberspace, one's public key is spread along with X's reputation, i.e. thru the same channels. When a reputation for X reaches you so does X's public key. You say that you want Henry Kissinger's public key. I respond that by whatever means you know that there exists such a person, you will (in cyberspace) already know his public key. The logical limit of this idea is that the public key becomes the name and the key authentication issue dissolves into the mist. We trust reputations because they reach us thru diverse paths. Public keys arriving thru diverse paths should likewise carry extra weight. As crypto becomes more common reputations will eventually belong more to public keys than to names. The question will then be not "What is Henry's public key?" but "What is the name of the person who knows the secret key that corresponds to this public key?". I suppose that Detwiler feared being unable to answer that question in specific cases. I don't. In the meantime, redundant webs that parallel the normal information webs thru which reputations propagate should provide public keys at least as reliable as the reputations themselves. One particular case is of interest. If you contract with me to process some of your secrets, I will agree not to divulge those secrets except under the protection of a one of a set of public keys that you give me. In such a case the web of trust model can be usefully employed and is not intrinsically limited in the number of levels.