[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Web of Trust (a revolution)



On Mon, 2009-03-30 at 11:23 +0100, Anne Wilson wrote:
> If you examine my key you will see that it is signed by a number of
> people who have properly verified that I am who I say I am.  This is
> essential for the web of trust to work, but frankly it is not
> understood by many people, and I've seen conversations where people
> will sign anyone's key.  The whole web of trust falls apart when this
> happens.

Looking at your key, using the seahorse program, I can see nothing that
gives me any indication that the signers have checked anything, only a
list of names of who the signers are.  Not very helpful...  You'd have
to use something else to see certification levels, e.g. command line
tools.  Of course the indicator will only be that person X *says*
they've checked you out.  There's nothing to enforce them being
truthful.

As you say, some will sign anything willy nilly.  The web of trust is
really only useful with people that you actually know.  You can't make
any assumptions just because a key is counter-signed.  A third party's
referral is useless.  The only third party that you could trust would be
some service that you know refuses to sign keys without adequate
verification, assuming that there is one, and that you know of their
reputation.

-- 
[tim localhost ~]$ uname -r
2.6.27.19-78.2.30.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]