web of trust and software distribution

Michael Nahrath michael@nahrath.de
Thu Dec 5 11:16:04 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Toxik - Fabian Rodriguez <Fabian.Rodriguez@Toxik.com> schrieb am 2002-12-04
20:33 Uhr:

>> German identity cards are quite reliable documents. First time you feel
>> stupid to ask someone for it but that is what I do before signing.
>=20
> I have no idea what German identity cards look like so I can't use
> that.=20

<http://www.bundesdruckerei.de/en/products/identity/2_1_6.html> ;-)
mine does not yet have any of that holographic stuff.
That feature is quite new.

>>> I have not asked them to sign my keys yet, but I eventually may.
>>> However you can check my trust by making a quick search on Google, for
>>> example, for fabian.rodriguez@toxik.com.
>>>=20
>> Does this confirm to me that the Fabian I find there is really
>> the owner of key 0x5AF2A4D5 ?
>=20
> Not 100%. It only makes your decision easier, actually if you search
> for Fabian *and* 0x5AF2A4D5, you will find many public references and
> messages signed with that key. The same can be done with Altavista,
> etc. The more I use my public key in public archives, the more
> difficult it will be for someone to make up a new one and pretend to
> be me. And it has a picture.

Unfortunatley nobody will ever see this picture if you rely on existing
keyservers for key distribution.

That is why I started encouraging people to download my key directly from
my website again: <http://michael.nahrath.de/pgp/>

Nevertheless I couldn't identify you even if I had your photo ;-)
=20
>>> Trust in my OpenPGP setup for now is very low, partly because I
>>> spent too much time building trust on Thawte's WOT sometime ago

>> I have never heared about Thawte in Germany (didn't read anything about =
them
>> until yesterday).

> Actually, Thawte originally emitted signatures to PGP keys for its
> users that had both x509 and OpenPGP. It appears my public key was
> not updated on other servers with the same information, but on your
> keyserver there was a trust path through Thawte's signature of one of
> my ID's:

Hej, this is not "my keyserver". It is Jason Harris'. I only cite.

> Of those 200, all those with their real name instead of Thawte
> Freemail Member in their ID were "notarized" members of the WOT.

You mean the 200 who signed the key 0xDE46F54F ?

<http://keyserver.kjsl.com/~jharris/ka/2002-12-01/DE/DE46F54F>
gives some more details.

> http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=3D9A4C704C&to=3D5AF2A4D5

> Yours is a very interesting and easy way of finding trust paths, I
> didn't know about it :)

It is not mine :-)

I don't know any public interface to it. I only found it as a special
feature when I was logged in at <http://www.biglumber.com/>

I hope Jason doesn't mind me advertising it. I guess it produces quite havy
server load. So rather ask him first before you link to this service!

Greeting, Michi
- --=20
Michael Nahrath, Hasestra=DFe 41, 31137 Hildesheim, T+F+AB: +49 [0]5121 51391=
9
<http://michael.nahrath.de>   PGP-ID: 0x9A4C704C   Mobil: +49 [0]170 295595=
7

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.1 (Darwin)

iD8DBQE97mlf19dRf5pMcEwRAgZcAJ993qaqRyaQmfDcLHa1Mj9Vy797gQCfTWRf
T9WhNZSFRNwAxb3/s8z7NI8=3D
=3D0/0l
-----END PGP SIGNATURE-----