Key verification schemes...

[Curt Smith]

(in response to a topic mentioned in various threads)

I agree that neither CA-verification nor WoT-verification is as
useful as Key Fingerprint-verification for secure communication
between crypto-aware individuals.  After all, CA's can be
subverted and WoT is probably best used as a back-up option
when direct key verification is not possible.  Key Fingerprints
can be verified in both PGP and S/MIME, but neither system
enforces it.  I would prefer for Key Fingerprint-verification
to be more central to the system.

--- jamesd at echeque.com wrote:
...
> The hierarchical verisign model is useful when one wishes to 
> verify that something comes from a famous and well known 
> name --that this software really is issued by Flash, that 
> this website really does belong to the Bank of America.  In 
> this case, however, only famous and well known names need 
> their keys from verisign.  No one else needs one.
>
> When one wishes to know one is really communicating with Bob,

> it is best to use the same channels to verify this is Bob's 
> key, as one used to verify that Bob is the guy one wishes to 
> talk to.  The web of trust, and Verisign, merely get in the 
> way. 
...

--- Eric Murray <ericm at lne.com> wrote:
...
> And to be honest, exactly zero of the PGP exchanges I have 
> had have actually used the web of trust to really verify a 
> PGP key.  I've only done it in testing.  In the real world, I

> either verify out of band (i.e. over the phone) or don't 
> bother if the other party is too clueless to understand what 
> I want to do and getting them to do PGP at all has already 
> exausted my paticnce.
...


=====
end
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com