Key verification schemes...
Curt Smith
objectpascal at yahoo.com
Wed May 29 06:03:13 PDT 2002
(in response to a topic mentioned in various threads)
I agree that neither CA-verification nor WoT-verification is as
useful as Key Fingerprint-verification for secure communication
between crypto-aware individuals. After all, CA's can be
subverted and WoT is probably best used as a back-up option
when direct key verification is not possible. Key Fingerprints
can be verified in both PGP and S/MIME, but neither system
enforces it. I would prefer for Key Fingerprint-verification
to be more central to the system.
--- jamesd at echeque.com wrote:
...
> The hierarchical verisign model is useful when one wishes to
> verify that something comes from a famous and well known
> name --that this software really is issued by Flash, that
> this website really does belong to the Bank of America. In
> this case, however, only famous and well known names need
> their keys from verisign. No one else needs one.
>
> When one wishes to know one is really communicating with Bob,
> it is best to use the same channels to verify this is Bob's
> key, as one used to verify that Bob is the guy one wishes to
> talk to. The web of trust, and Verisign, merely get in the
> way.
...
--- Eric Murray <ericm at lne.com> wrote:
...
> And to be honest, exactly zero of the PGP exchanges I have
> had have actually used the web of trust to really verify a
> PGP key. I've only done it in testing. In the real world, I
> either verify out of band (i.e. over the phone) or don't
> bother if the other party is too clueless to understand what
> I want to do and getting them to do PGP at all has already
> exausted my paticnce.
...
=====
end
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
More information about the Testlist
mailing list