Web of trust

David Picón Álvarez eleuteri@myrealbox.com
Wed Jun 5 16:21:02 2002

Content-Type: text/plain;
Content-Transfer-Encoding: 8bit


> BTW, I cannot find your key.  Is it up on a keyserver anywhere?

As far as I know, it's up in wwwkeys.eu.pgp.net and in pgp.mit.edu
You can search for eleuteri@myrealbox.com

There are a couple of bogus IDs from my initial experimentation that contain
fucked up characters and so on, because my surname is not actually Picon
Alvarez but Picónn Álvarez, so that caused me a bit of trouble.

> Fair enough.  It helps to go to key signing parties and to make phone
> calls for verification (though that only tells you that the speaker is
> the person whose key you have), but it certainly can be difficult to get
> "tied in".

I haven't heard of any keysigning party in the are where I am. I study in
Leeds/UK, and I'll be on holidays back home in my dear Spain :-) but I
haven't found those kind of events around.
About phone verification, it's certainly good enough as far as I'm

> That sounds like a good start.  I suppose you find that preferable to the
> "are you sure you want to use this untrusted key?" questions; my choice,
> on the other hand, is to not sign, even locally.

I only locally sign such keys as Zimmerman's, ESR's or the like, which are
backed by lots of people and would be damned hard to keep faked. At any
rate, the question or a local signature don't seem to make a hell of a
difference as far as I can see.

> I would hope that, quite on the contrary, cryptography is growing more
> and more popular; here in the States, at the very least, there are more
> and more people getting ticked off at government privacy invasion who are
> picking up crypto simply out of defiance.

I don't think that's going on in Europe. I used to have a pgp key when RSA
was in use, I used to have keys all the way through, but I rarely used them
because of lack of people. What fired me off is a new EU directive that
allows states to commit intrusions in people's privacy. But a security tool
as GnuPG, fine as it is, is useless without enough support, because in
effect, you depend on the other end for being able to use it.

> The WoT should continue to increase, just as it has for years.  The
> problem is simply balancing the level of your need for verification with
> the cost of doing so.  That's a reason some folks like a central
> authority like VeriSign; it's easy to trust them, and then you can trust
> anyone who bought one of their certificates.  Others still favor the
> pgp/gpg "peer to peer" approach, you might call it.

I think there are many good things to say about the p2p approach as you call
it. It's much harder to fake and so on. And I'd have serious doubts about
trusting a for-profit business like VeriSign, for good reasons. There can be
always someone with more money willing to buy false certificates and the
like. And then, it's a central point of failure. But I just see that GPG/PGP
users as islands in a huge ocean of apathic users.

> Even if it's something that a computer can't do, how do you know that the
> actual intended user got it and not a middleman?  How do you know that
> the actual intended user really is the person so described?  The list
> goes on and on :-)

As I said, it wouldn't fit high-security requirements, but at least it would
allow for making sure that it's not an easy fake.

> Sounds topical enough to me...

Hope so.


Content-Type: application/pgp-signature
Content-Disposition: inline

Comment: This message is digitally signed and can be verified for authenticity.