Web of trust

David T-G davidtg-gnupg@justpickone.org
Wed Jun 5 15:37:01 2002

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

David --

BTW, I cannot find your key.  Is it up on a keyserver anywhere?

=2E..and then David Pic?n ?lvarez said...
% Hi,


% I've read a lot about the web of trust, and about how signatures must be
% given with extreme caution and so on. However, I find that it is very


% difficult, if not impossible, to build a sizable web of trust that is at =
% same time useful and safe. I've had to sign myself several keys because I

Fair enough.  It helps to go to key signing parties and to make phone
calls for verification (though that only tells you that the speaker is
the person whose key you have), but it certainly can be difficult to get
"tied in".

% didn't manage to find any possible route, and I've been using the resource
% of signing locally, in order not to pollute the public arena with unverif=
% signatures.

That sounds like a good start.  I suppose you find that preferable to the
"are you sure you want to use this untrusted key?" questions; my choice,
on the other hand, is to not sign, even locally.

% My question is: is there a better way to do this? Are there chances that
% webs of trust will increase in the future? I just have the feeling that
% cryptography is sort of falling out of use, and I don't see much of a
% possibility that the web of trust will be ever thick enough.

I would hope that, quite on the contrary, cryptography is growing more
and more popular; here in the States, at the very least, there are more
and more people getting ticked off at government privacy invasion who are
picking up crypto simply out of defiance.

The WoT should continue to increase, just as it has for years.  The
problem is simply balancing the level of your need for verification with
the cost of doing so.  That's a reason some folks like a central
authority like VeriSign; it's easy to trust them, and then you can trust
anyone who bought one of their certificates.  Others still favor the
pgp/gpg "peer to peer" approach, you might call it.

% As well, I've been thinking whether a software solution could improve
% things. Something like sending an e-mail to the owner of a key with the
% request for a task that a computer can't do, and if the request is
% validated, then the key would acquire a given signature. Something like a
% low-level security Certification Agent. What do you think about this?

Even if it's something that a computer can't do, how do you know that the
actual intended user got it and not a middleman?  How do you know that
the actual intended user really is the person so described?  The list
goes on and on :-)

% BTW, sorry if this is off-topic, but I don't know of anywhere else where =
% discuss these issues.

Sounds topical enough to me...

% --David.


David T-G                      * It's easier to fight for one's principles
(play) davidtg@justpickone.org * than to live up to them. -- fortune cookie
(work) davidtgwork@justpickone.org
http://www.justpickone.org/davidtg/    Shpx gur Pbzzhavpngvbaf Qrprapl Npg!

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.7 (GNU/Linux)