Third party information

Huels, Ralf SCORE
Tue Dec 10 16:25:02 2002

> they do not deserve to be in the Wot. At the very least, I would=20
> not have helped them get deeper into it by signing their key.=20

It's hard for *me* to help *him* get deeper into it ;-)
The point is that I'm as convinced of his identity as I can be.
The problem lies not with his identity but with the validity of
the public key on my key ring at home.=20

How likely is it that that is fake given that on one hand the=20
correct person claimed it by Key ID, creation date and two or=20
three UIDs and on the other hand the public key I have has about
90 signatures, one from a trusted introducer besides matching all=20
the information I got from the guy I met.

The guy I met was real. That much I know. Mallory would have had to
create a key with the same Key ID and UIDs as that guy's, get 90=20
Signatures (many from the strong set), including one CA I trust,=20
have that key be the only one on the key servers and conduct a
successful MITM attack. How likely is that?

I'm convinced that I have the correct key. I declined to sign it
as a matter of policy.

> If anything, I think most people in general are not paranoid=20
> enough. I think the bare minimum should be checking the fingerprint,=20
> two picture IDs, and veryfying the email afterwards.

*Two* picture IDs is fairly paranoid in a country that has mandatory=20
high tech ID cards. I agree though, that challenging the e-mail=20
addresses should be SOP.
I was just wondering how much circumstantial evidence might be=20
enough to replace the fingerprint.