Web of trust

[David Picón Álvarez]

--n4g_y1fZ.5XiMkIG0nnxfhpcRy8C.PaU
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Hi,

% As far as I know, it's up in wwwkeys.eu.pgp.net and in pgp.mit.edu
% You can search for eleuteri@myrealbox.com

> Hmmm...  I tried both of those from my long list of keyservers; in fact,
> the first is my default.  I get:

[snip]
> (well, OK; I gave it a few *minutes* while doing something else the other
> day and *then* killed it).  Is your key 10F4B2AA the one that's up on the
> servers?

Most certainly it is. This is my long key ID just in case:
3AEBB405FB0BC8E35E1A47788572E22610F4B2AA

As far as I know, I have no trouble donwloading it. If you want I can send
it to you by mail.

> You might, just to be sure, make sure of which key you're using to sign
:-)

I know what I sign with, both because I have set it with the long ID in the
options file and because I have to enter the passphrase and because I see
the verification when the mails come back :-)


> Aside from the occasional *UG meeting nearby where bringing keys on
> floppies "just in case" is pretty standard, I haven't, either.  I was
> happy to see a couple of resources posted; I'll read up on them myself.

They look like they're potentially useful, especially in the very developed
areas like Germany or US, and in the big cities.


> Fair enough.  I haven't bothered to look; I presume such keys have lots
> of signatures on them and you can download *those* public keys from the
> servers so the whole thing settles out, right?

Yep. Moreover, if such a key would be faked, we would know very fast, I
think. In some of the links I've followed from biglumber, there is a lot of
talk about the "strongly connected set" of keys where you can trace pretty
much a lot of the crypto experts and other people too.


> Easier for me to not be confused by local vs exportable sigs, but in
> general (and perhaps in my naivete!) I agree.

I think local sigs are neat because they don't devalue my signature in the
outer world, and they don't force me to answer annoying questions al the
time. I like scripting things to the maximum possible extent.


% because of lack of people. What fired me off is a new EU directive that
% allows states to commit intrusions in people's privacy. But a security
tool

> Yep.  That's the sort of thing that gets people riled up.

I hope many more people get.


% as GnuPG, fine as it is, is useless without enough support, because in
% effect, you depend on the other end for being able to use it.

> Right.  Not an unfair assessment, though also not necessarily as black as
> it seems.

Well, I guess things may change while awareness grows.


% I think there are many good things to say about the p2p approach as you
call
% it. It's much harder to fake and so on. And I'd have serious doubts about

> Right -- and, in the case of something not "blessed" by those in power,
> much tougher to shut down.

True enough, though keyservers are shutable.


% always someone with more money willing to buy false certificates and the

> Yeah, that too.

Especially that, as far as I'm concerned. Moreover, it looks like there
security procedures kind of suck. At least I know of several instances of
VeriSign not being careful enough.


% like. And then, it's a central point of failure. But I just see that
GPG/PGP
% users as islands in a huge ocean of apathic users.

> Then get out there and get 'em motivated!  Evangelize, sing the praises,
> use gpg wherever you go, and don't miss a chance to tell someone about
> it, especially if you can show how it benefits you.

The fact that it doesn't have a beautiful UI for Windows doesn't help. I
like command-line tools but it's hard to convince my friends to bother with
them. Of course there are front-ends, and I suppose that will gain GnuPG
many more users.

> Hmmm...  Where's that "history of pgp" URL again?  That might be a good
> thing to hand out; in fact, I have a friend asking me "what's this
> digital signature thing you keep mentioning?" and I should point her to
> it.

Luck.


> Ah.  Fair enough.

If anyone is interested in creating something like this, do contact me.


--David.



--n4g_y1fZ.5XiMkIG0nnxfhpcRy8C.PaU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Comment: This message is digitally signed and can be verified for authenticity.

iQQXAwUAPP6g8YVy4iYQ9LKqFAL4bw//ScSXADwQ4oYAyGZJQdHZS/JJM5DHS5tE
Xc4NOQRZVGqvyGFVgicG0oO6KT7qE2sCEVMdVkou1+strkJtyWIz9XkVk4QRDWHz
I8190fcTQOq9jdBmH5yQKZP1Y0h0C/xuKB5DUWG3FauiPnX6F7WBymuwEmFlM+m/
nslu6e1pD2MVi9f7aPHOUaNdSHHK97U27iK6QeCMJXIXVGg+2gb9kO2/mgMVSb9w
FWP/uvp+AbRehDIgaPJj/kpxpfVGg7Woc5LkATLH4P2C22QIxz/BArfdHKBtk+Um
I3yjm+KDSyA1/9v6EVPdxI9nAXTfIsIuzf/7XK9OD0nLXQ39k38mKvTdiL0fciI5
Lbiz8xB+13/fKCkUF0CA3wzuRVdBk/bmuuyd1r17+8tI8LwQbiF7k8KmpeiIZY8Z
sagKZkX2pM/glMz/6yzXLxinibcq+vAyq54RUJu6TYVd4oHzUygS1tmur5JE3HZy
sSTHDt8NADL9zh0r1qgdTlUAe6CxXaznGVXk6psVvRQ5cq8EssWIZv+WHCFK4K9r
nGE6W/NuYQcgsnNSSPEy42HVs4NWRFrElSBtT5aGJ5JmKkYTXdeeEqb6kJKr/dYa
5rWuSL5neck22JsCs5AhlPFoLFKWYe5nAyAgqz1bRZVV8giDURrSrBzQIOwEMfGy
ZlC6JP7UT/UQAKDIjp2L7x+UrIKLVfKfDu+mKULRcZ8A7dQSLqRB5HAZHp8SHwXX
n5IUNtthVuL3vy2C6kUG6u2ASEQA/wSGdC6OdL9p+9xeODD1N5nrSQ7Wfhi7Z+Op
N5nJl5skJh3Ni3Y4sohhr8QT6fM5ukd/2UZoG+jrYpeUwYoLzZpT/ayhsnJweu4N
xlgRshldf8I/UCUytEuCnR4ZNDm0JI08PhvT++3tor0iPv4JvHdiaarx3vi1nFiV
n+cb7Geg7lGgaughjFvP5A34W8mubC6Fb85BQzA9iHUwtaNM8BBb2mSArLNRuLNN
kSsUjvYaL3ZN/oxpbgIPqMAT7FB17TZc5L1MfA5ngIc666c4YcXfgjmevSbTzM48
IETrViKk55l5yYtO3RQdXzmYwp55inrmZvzcVQoUQgdOlqY8YmY+w5B46fD2wHfB
wdoxIbafGxWA9CChXVji2yVNgKRQXi1hKj9BVBjLkCNdRw56NNL6tlOFLvMityEQ
cgIc9gyFTtNfujdD3GX3Dh/E0c60AKKrMFRGmXBn10nTwzpFOgW8bzXgCJYKIKS0
WBAy4He62M3lNDfLg25QP8U5pr1RYhZhdW+SlESZMNlsEYhfoBRzpGR8AgOp3vFY
tCXHFuXBTbBBo93M0AhWlEmhiA6dQasfqhyJQwKo3sIxC7+GDJLrUAC8
=5CrY
-----END PGP SIGNATURE-----

--n4g_y1fZ.5XiMkIG0nnxfhpcRy8C.PaU--