web of trust and software distribution
Toxik - Fabian Rodriguez
Wed Dec 4 20:33:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
> > I don't ask for signatures
> > unles I know other people can do the same kind of verification on
> German identity cards are quite reliable documents.
> First time you feel stupid to ask someone for it but that is what I
> before signing.
I have no idea what German identity cards look like so I can't use
that. But I relate to that. I have seen many Canadian and Colombian
documents, so I can verify identity based on those. Actually, when I
do notarization through Thawte, you really need to have good
documentation :) . See point 4) at
"I will have to see three (3) of either the medicare card (assurance
maladie), driver's license, birth certificate or a Canadian
I think I will do something similar for OpenPGP signatures, inluding
PGP fingerprint/phone verification. The beauty of OpenPGP is the
several levels of trust you can give, instead of points.
Ultimately evryone decides on its own how they give trust.
> > I have not asked them to sign my keys yet, but I eventually may.
> > However you can check my trust by making a quick search on
> > for example, for email@example.com.
> Does this confirm to me that the Fabian I find there is really
> the owner of
> key 0x5AF2A4D5 ?
Not 100%. It only makes your decision easier, actually if you search
for Fabian *and* 0x5AF2A4D5, you will find many public references and
messages signed with that key. The same can be done with Altavista,
etc. The more I use my public key in public archives, the more
difficult it will be for someone to make up a new one and pretend to
be me. And it has a picture.
> > Trust in my OpenPGP setup for now is very low, partly because I
> > spent too much time building trust on Thawte's WOT sometime ago
> I have never heared about Thawte in Germany (didn't read anything
> them until yesterday).
> Maybe this is a benefit of <http://www.heise.de/ct/pgpCA/> and some
> CAs (mainly at Universities) that volunteerily serve as HUBs in
> PGP-web-of-trust and make getting signed rather easy for us.
Actually, Thawte originally emitted signatures to PGP keys for its
users that had both x509 and OpenPGP. It appears my public key was
not updated on other servers with the same information, but on your
keyserver there was a trust path through Thawte's signature of one of
Of those 200, all those with their real name instead of Thawte
Freemail Member in their ID were "notarized" members of the WOT.
Yours is a very interesting and easy way of finding trust paths, I
didn't know about it :) I'll be more careful in updates of my public
key in the future, thanks for bringing that up!
Fabián Rodríguez - Toxik Technologies, Inc.
www.toxik.com - (514) 528-6945 @221
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows 2000) - WinPT 0.7.92-cvs
-----END PGP SIGNATURE-----