web of trust and software distribution

Toxik - Fabian Rodriguez Fabian.Rodriguez@Toxik.com
Wed Dec 4 20:33:02 2002

Hash: SHA1

> > I don't ask for signatures
> > unles I know other people can do the same kind of verification on
> German identity cards are quite reliable documents.
> First time you feel stupid to ask someone for it but that is what I
> before signing.

I have no idea what German identity cards look like so I can't use
that. But I relate to that. I have seen many Canadian and Colombian
documents, so I can verify identity based on those. Actually, when I
do notarization through Thawte, you really need to have good
documentation :) . See point 4) at
http://fabianrodriguez.com/encryption/thawte_wot.php :

"I will have to see three (3) of either the medicare card (assurance
maladie), driver's license, birth certificate or a Canadian

I think I will do something similar for OpenPGP signatures, inluding
PGP fingerprint/phone verification. The beauty of OpenPGP is the
several levels of trust you can give, instead of points.

Ultimately evryone decides on its own how they give trust.

> > I have not asked them to sign my keys yet, but I eventually may.
> > However you can check my trust by making a quick search on
> > for example, for fabian.rodriguez@toxik.com.
> Does this confirm to me that the Fabian I find there is really
> the owner of
> key 0x5AF2A4D5 ?

Not 100%. It only makes your decision easier, actually if you search
for Fabian *and* 0x5AF2A4D5, you will find many public references and
messages signed with that key. The same can be done with Altavista,
etc. The more I use my public key in public archives, the more
difficult it will be for someone to make up a new one and pretend to
be me. And it has a picture.

> > Trust in my OpenPGP setup for now is very low, partly because I
> > spent too much time building trust on Thawte's WOT sometime ago
;) -
> I have never heared about Thawte in Germany (didn't read anything
> them until yesterday).
> Maybe this is a benefit of <http://www.heise.de/ct/pgpCA/> and some
> CAs (mainly at Universities) that volunteerily serve as HUBs in
> PGP-web-of-trust and make getting signed rather easy for us.

Actually, Thawte originally emitted signatures to PGP keys for its
users that had both x509 and OpenPGP. It appears my public key was
not updated on other servers with the same information, but on your
keyserver there was a trust path through Thawte's signature of one of
my ID's:

Of those 200, all those with their real name instead of Thawte
Freemail Member in their ID were "notarized" members of the WOT.

Yours is a very interesting and easy way of finding trust paths, I
didn't know about it :) I'll be more careful in updates of my public
key in the future, thanks for bringing that up!

Take care,

Fabián Rodríguez - Toxik Technologies, Inc.
www.toxik.com - (514) 528-6945 @221
OpenPGP: 0x5AF2A4D5

Version: GnuPG v1.2.1-nr1 (Windows 2000) - WinPT 0.7.92-cvs