web of trust and software distribution

Michael Nahrath gnupg-users@nahrath.de
Wed Dec 4 22:55:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Toxik - Fabian Rodriguez <Fabian.Rodriguez@Toxik.com> schrieb am 2002-12-04
20:33 Uhr:

>> German identity cards are quite reliable documents. First time you feel
>> stupid to ask someone for it but that is what I do before signing.
> 
> I have no idea what German identity cards look like so I can't use
> that. 

<http://www.bundesdruckerei.de/en/products/identity/2_1_6.html> ;-)
mine does not yet have any of that holographic stuff.
That feature is quite new.

>>> I have not asked them to sign my keys yet, but I eventually may.
>>> However you can check my trust by making a quick search on Google, for
>>> example, for fabian.rodriguez@toxik.com.
>>> 
>> Does this confirm to me that the Fabian I find there is really
>> the owner of key 0x5AF2A4D5 ?
> 
> Not 100%. It only makes your decision easier, actually if you search
> for Fabian *and* 0x5AF2A4D5, you will find many public references and
> messages signed with that key. The same can be done with Altavista,
> etc. The more I use my public key in public archives, the more
> difficult it will be for someone to make up a new one and pretend to
> be me. And it has a picture.

Unfortunatley nobody will ever see this picture if you rely on existing
keyservers for key distribution.

That is why I started encouraging people to download my key directly from
my website again: <http://michael.nahrath.de/pgp/>

Nevertheless I couldn't identify you even if I had your photo ;-)
 
>>> Trust in my OpenPGP setup for now is very low, partly because I
>>> spent too much time building trust on Thawte's WOT sometime ago

>> I have never heared about Thawte in Germany (didn't read anything about them
>> until yesterday).

> Actually, Thawte originally emitted signatures to PGP keys for its
> users that had both x509 and OpenPGP. It appears my public key was
> not updated on other servers with the same information, but on your
> keyserver there was a trust path through Thawte's signature of one of
> my ID's:

Hej, this is not "my keyserver". It is Jason Harris'. I only cite.

> Of those 200, all those with their real name instead of Thawte
> Freemail Member in their ID were "notarized" members of the WOT.

You mean the 200 who signed the key 0xDE46F54F ?

<http://keyserver.kjsl.com/~jharris/ka/2002-12-01/DE/DE46F54F>
gives some more details.

> http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=9A4C704C&to=5AF2A4D5

> Yours is a very interesting and easy way of finding trust paths, I
> didn't know about it :)

It is not mine :-)

I don't know any public interface to it. I only found it as a special
feature when I was logged in at <http://www.biglumber.com/>

I hope Jason doesn't mind me advertising it. I guess it produces quite havy
server load. So rather ask him first before you link to this service!

Greeting, Michi


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.1 (Darwin)

iD8DBQE97nn019dRf5pMcEwRAggpAJ0X5tPDBuXRruQt89yJ3jPPSQrKkQCg4jXi
ZeeHOdMYeMss2SX/v+JjcXM=
=01kB
-----END PGP SIGNATURE-----