web of trust and software distribution (was: New mirror for WinPT + GnuPG installer)

Michael Nahrath gnupg-users@nahrath.de
Wed Dec 4 19:30:01 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Toxik - Fabian Rodriguez <Fabian.Rodriguez@Toxik.com> schrieb am 2002-12-04
15:45 Uhr:


> The WinPT=20

> You may want to subcribe/write in the list WinPT-users abouth this:
> http://www.winpt.org/mlist.html

Sorry, already 4 GPG related lists are enough for me.
=20
>> When it comes to software I trust in Werner Koch. At least I have a
>> trust-path to the key that signed the source archives. I have no trust-p=
ath
>> to you or Keith.
=20
> Where do you update your keyring to/from ?

keyserver.kjsl.com

> Personally I only sign
> keys that I get requests from and that I can verify on different
> levels, including how long I've known someone, met personally, seen
> participating in different forums, etc.

(At least public) signatures are something that need personal contact or
at least good personal knowledge and a long telephone call.
With one exception: I have signed one CA organisation's key (with sig 2)
where I can check the fingerprint with their printed magazine (I know that
not everybody aggrees with this).
They have almost signed 10000 keys alone.

So I don't have a lot of keys personally signed.

But I have set the level of 'trust' high for some people that I have not
met (nore signed) but who are well known as reliable in the OpenSource and
security scene. If someone I have signed has signed their key I have a
stong path to them and to those they have signed as a result.

Many of my trust paths to other people look like this one:
<http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=3D9A4C704C&to=3D5B0358A2>

> I don't ask for signatures
> unles I know other people can do the same kind of verification on me.

German identity cards are quite reliable documents.
First time you feel stupid to ask someone for it but that is what I do
before signing.

> I have not asked them to sign my keys yet, but I eventually may.
> However you can check my trust by making a quick search on Google,
> for example, for fabian.rodriguez@toxik.com.

Does this confirm to me that the Fabian I find there is really the owner of
key 0x5AF2A4D5 ?

> Trust in my OpenPGP setup for now is very low, partly because I
> spent too much time building trust on Thawte's WOT sometime ago ;) -

I have never heared about Thawte in Germany (didn't read anything about
them until yesterday).
Maybe this is a benefit of <http://www.heise.de/ct/pgpCA/> and some more
CAs (mainly at Universities) that volunteerily serve as HUBs in the
PGP-web-of-trust and make getting signed rather easy for us.
=20
Greeting, Michi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.1 (Darwin)

iD8DBQE97knw19dRf5pMcEwRAszrAKDrGwSleKyaH/q41LPs/K36fUApWwCg5YHo
rGnHdmIs+TAqxiw8yHamjQ8=3D
=3D9VUe
-----END PGP SIGNATURE-----D PGP SIGNATURE-----kstystyl=16=01=10=0E=03=0Cik - Fab
=F2=92e=03=D3