web of trust and software distribution

Toxik - Fabian Rodriguez Fabian.Rodriguez@Toxik.com
Wed Dec 4 20:33:02 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


[...]
> > I don't ask for signatures
> > unles I know other people can do the same kind of verification on
me.
>
> German identity cards are quite reliable documents.
> First time you feel stupid to ask someone for it but that is what I
do
> before signing.

I have no idea what German identity cards look like so I can't use
that. But I relate to that. I have seen many Canadian and Colombian
documents, so I can verify identity based on those. Actually, when I
do notarization through Thawte, you really need to have good
documentation :) . See point 4) at
http://fabianrodriguez.com/encryption/thawte_wot.php :

"I will have to see three (3) of either the medicare card (assurance
maladie), driver's license, birth certificate or a Canadian
Passport."

I think I will do something similar for OpenPGP signatures, inluding
PGP fingerprint/phone verification. The beauty of OpenPGP is the
several levels of trust you can give, instead of points.

Ultimately evryone decides on its own how they give trust.

> > I have not asked them to sign my keys yet, but I eventually may.
> > However you can check my trust by making a quick search on
Google,
> > for example, for fabian.rodriguez@toxik.com.
>
> Does this confirm to me that the Fabian I find there is really
> the owner of
> key 0x5AF2A4D5 ?

Not 100%. It only makes your decision easier, actually if you search
for Fabian *and* 0x5AF2A4D5, you will find many public references and
messages signed with that key. The same can be done with Altavista,
etc. The more I use my public key in public archives, the more
difficult it will be for someone to make up a new one and pretend to
be me. And it has a picture.

> > Trust in my OpenPGP setup for now is very low, partly because I
> > spent too much time building trust on Thawte's WOT sometime ago
;) -
>
> I have never heared about Thawte in Germany (didn't read anything
about
> them until yesterday).
> Maybe this is a benefit of <http://www.heise.de/ct/pgpCA/> and some
more
> CAs (mainly at Universities) that volunteerily serve as HUBs in
the
> PGP-web-of-trust and make getting signed rather easy for us.

Actually, Thawte originally emitted signatures to PGP keys for its
users that had both x509 and OpenPGP. It appears my public key was
not updated on other servers with the same information, but on your
keyserver there was a trust path through Thawte's signature of one of
my ID's:
http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=9A4C704C&to=5AF2A4D5

Of those 200, all those with their real name instead of Thawte
Freemail Member in their ID were "notarized" members of the WOT.

Yours is a very interesting and easy way of finding trust paths, I
didn't know about it :) I'll be more careful in updates of my public
key in the future, thanks for bringing that up!

Take care,

Fabián Rodríguez - Toxik Technologies, Inc.
www.toxik.com - (514) 528-6945 @221
OpenPGP: 0x5AF2A4D5


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows 2000) - WinPT 0.7.92-cvs

iD8DBQE97lZzfUcTXFrypNURAjKOAJwJPYTY3gxcKBoWvAETOVqkdhshAQCgpQBR
MH2Q5juQUHDvLhQo0KFqz78=
=0w63
-----END PGP SIGNATURE-----