Mutt/GnuPG doc initial release

Mark H. Wood mwood@IUPUI.Edu
Tue Sep 25 13:42:01 2001

On Tue, 25 Sep 2001, David K. Trudgett wrote:

> On Tuesday 2001-09-25 at 06:33:37 +0200, Alexander Skwar wrote:
> > from a face-to-face contact) or if it is at least signed by some
> > known authority, there's no indication whatsoever that this key
> > actually belongs to whoemever it says in the signature.
> You will now see, I hope, why that statement is wrong. You are
> assuming that it is necessary to know the "real-life" persona, whereas
> in fact, that is a false assumption.
Not only is it not necessary, it is not sufficient. You could walk up to me face-to-face and claim to be, say, Bill Gates, and if you look enough like him how would I know the difference? All authentication is relative, really. Who is that "known authority"? How do you know? A web of trust is based on judgments as to the probability that any given link is not compromised (and so is a CA chain, by the way). Some relationships can be extraordinarily difficult to fake, but I have thought of none for which it is impossible. -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Make a good day.