Web of trust

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Wed Jun 5 15:23:01 2002

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Wed, 2002-06-05 at 22:21, David Pic=F3n =C1lvarez wrote:
[web of trust is difficult]


I think probably you give the idea of a 'web of trust' too much weight.
It is always the question what a signature means.

Problem here is that the meaning of a signature is not narrowly defined
in the pgp system.

a signature on a message means basically only that the owner of a
certain key signed this message (and probably claims to be the author).

a signature on a key means
 - that the owner of an emailadress is the owner of the respective key
 - that the owner of the key has the name that is in the userid.

The problem is that gpg/pgp has no easy way to differentiate between the
latter two - while you can easily verify that I own my emailadress, I
could be a complete fake. So you'd better not sign my key, even locally,
and just live with the warning gpg gives when you verify my signature.

If we come to know each other, or if we did business, so that the
signature on my mail would be relevant, it is very likely that you would
like to verify who I am independently of whether we're using gpg. So in
that verification process, it is very likely that I'd be able to present
you with my key in a way you'd find to be reliable. So, then, you would
sign my key.

Same goes with encrypting: gpg won't (per default) allow encrypted
messages to people who's key you don't trust. This is ok - if you have
the need to exchange confidential messages with somebody else, it's
highly probable that you have verified the identity (and
trustworthiness) of the recipient beforehand. Again, this would probably
give opportunity to safely exchange keys.

Of course, there is a problem if you're starting to use gpg - nobody
else has your key. But there're bound to be at least some people you can
reach off-line (face2face or by phone) to start your web of trust. The
other problem is, of course, that not many people *do* use gpg. But you
can't deal with that on a technical level anyway. You can just encourage
everybody to use gpg by using it yourself.

To summarize: building a big web of trust is not really important. The
really important thing is that you can really trust your personal web of

Hmmm. Pretty wishy washy. I hope I did get the general drift of your

-- vbi

secure email with gpg            avbidder@fortytwo.ch: key id 0x92082481
                                 avbidder@acter.ch:    key id 0x5E4B731F

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.0.7 (GNU/Linux)