Mutt/GnuPG doc initial release
Mark H. Wood
Tue Sep 25 13:42:01 2001
On Tue, 25 Sep 2001, David K. Trudgett wrote:
> On Tuesday 2001-09-25 at 06:33:37 +0200, Alexander Skwar wrote:
> > from a face-to-face contact) or if it is at least signed by some
> > known authority, there's no indication whatsoever that this key
> > actually belongs to whoemever it says in the signature.
> You will now see, I hope, why that statement is wrong. You are
> assuming that it is necessary to know the "real-life" persona, whereas
> in fact, that is a false assumption.
Not only is it not necessary, it is not sufficient. You could walk up to
me face-to-face and claim to be, say, Bill Gates, and if you look enough
like him how would I know the difference?
All authentication is relative, really. Who is that "known authority"?
How do you know? A web of trust is based on judgments as to the
probability that any given link is not compromised (and so is a CA chain,
by the way). Some relationships can be extraordinarily difficult to fake,
but I have thought of none for which it is impossible.
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Make a good day.