On Monday 30 March 2009 12:47:49 Tim wrote: > On Mon, 2009-03-30 at 11:23 +0100, Anne Wilson wrote: > > If you examine my key you will see that it is signed by a number of > > people who have properly verified that I am who I say I am. This is > > essential for the web of trust to work, but frankly it is not > > understood by many people, and I've seen conversations where people > > will sign anyone's key. The whole web of trust falls apart when this > > happens. > > Looking at your key, using the seahorse program, I can see nothing that > gives me any indication that the signers have checked anything, only a > list of names of who the signers are. Not very helpful... You'd have > to use something else to see certification levels, e.g. command line > tools. Of course the indicator will only be that person X *says* > they've checked you out. There's nothing to enforce them being > truthful. > Exactly. In this case there were all the appropriate checks, but all you can see is a list of names, and I suppose you can check that those names are ones you have reason to trust, but that's all, and it's a bit vague. The person who signed the key had to produce their own key to sign it, and that key will also have signatures of people that have checked his identity, but it does depend entirely on the web of trust being respected, carried out to the letter. Which was my point. > As you say, some will sign anything willy nilly. The web of trust is > really only useful with people that you actually know. You can't make > any assumptions just because a key is counter-signed. A third party's > referral is useless. The only third party that you could trust would be > some service that you know refuses to sign keys without adequate > verification, assuming that there is one, and that you know of their > reputation. > Absolutely. It would help if the action of signing included some information about the act, such as whether it was carried out at a LUG, Conference, or some other organisation, so you could come to some decision about its reliability, but there is no such thing. Consequently I am advocating, as you are, careful thought about how much credence to put on gpg- (or pgp-) signing. Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase
Description: This is a digitally signed message part.