Web of trust

David T-G davidtg-gnupg@justpickone.org
Wed Jun 5 16:51:02 2002 

--NO4xtVTk6ycZDAf4
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

David --

=2E..and then David Pic?n ?lvarez said...
%=20
% Hi,

Hello!


%=20
% > BTW, I cannot find your key.  Is it up on a keyserver anywhere?
%=20
% As far as I know, it's up in wwwkeys.eu.pgp.net and in pgp.mit.edu
% You can search for eleuteri@myrealbox.com

Hmmm...  I tried both of those from my long list of keyservers; in fact,
the first is my default.  I get:

  [-- PGP output follows -- Wed Jun  5 09:27:41 2002 --]gpg: Signature made=
 Wed Jun  5 17:23:37 2002 EST using ELG key ID 10F4B2AA
  gpg: requesting key 10F4B2AA from HKP keyserver wwwkeys.eu.pgp.net

  gpg: Interrupt caught ... exiting
  ^@[-- End of PGP output -- The following data is signed --]

The interrupt is where I have to hit ctrl-c because it never resolves
(well, OK; I gave it a few *minutes* while doing something else the other
day and *then* killed it).  Is your key 10F4B2AA the one that's up on the
servers?


%=20
% There are a couple of bogus IDs from my initial experimentation that cont=
ain
% fucked up characters and so on, because my surname is not actually Picon
% Alvarez but Pic=F3nn =C1lvarez, so that caused me a bit of trouble.

You might, just to be sure, make sure of which key you're using to sign :-)


%=20
% > Fair enough.  It helps to go to key signing parties and to make phone
% > calls for verification (though that only tells you that the speaker is
% > the person whose key you have), but it certainly can be difficult to get
% > "tied in".
%=20
% I haven't heard of any keysigning party in the are where I am. I study in
% Leeds/UK, and I'll be on holidays back home in my dear Spain :-) but I
% haven't found those kind of events around.

Aside from the occasional *UG meeting nearby where bringing keys on
floppies "just in case" is pretty standard, I haven't, either.  I was
happy to see a couple of resources posted; I'll read up on them myself.


% About phone verification, it's certainly good enough as far as I'm
% concenred.

Yeah; that's about as sure as I need to get, too.


%=20
% > That sounds like a good start.  I suppose you find that preferable to t=
he
% > "are you sure you want to use this untrusted key?" questions; my choice,
% > on the other hand, is to not sign, even locally.
%=20
% I only locally sign such keys as Zimmerman's, ESR's or the like, which are
% backed by lots of people and would be damned hard to keep faked. At any

Fair enough.  I haven't bothered to look; I presume such keys have lots
of signatures on them and you can download *those* public keys from the
servers so the whole thing settles out, right?


% rate, the question or a local signature don't seem to make a hell of a
% difference as far as I can see.

Easier for me to not be confused by local vs exportable sigs, but in
general (and perhaps in my naivete!) I agree.


%=20
% > I would hope that, quite on the contrary, cryptography is growing more
% > and more popular; here in the States, at the very least, there are more
% > and more people getting ticked off at government privacy invasion who a=
re
% > picking up crypto simply out of defiance.
%=20
% I don't think that's going on in Europe. I used to have a pgp key when RSA
% was in use, I used to have keys all the way through, but I rarely used th=
em

Interesting...


% because of lack of people. What fired me off is a new EU directive that
% allows states to commit intrusions in people's privacy. But a security to=
ol

Yep.  That's the sort of thing that gets people riled up.


% as GnuPG, fine as it is, is useless without enough support, because in
% effect, you depend on the other end for being able to use it.

Right.  Not an unfair assessment, though also not necessarily as black as
it seems.


%=20
=2E..
% > authority like VeriSign; it's easy to trust them, and then you can trust
% > anyone who bought one of their certificates.  Others still favor the
% > pgp/gpg "peer to peer" approach, you might call it.
%=20
% I think there are many good things to say about the p2p approach as you c=
all
% it. It's much harder to fake and so on. And I'd have serious doubts about

Right -- and, in the case of something not "blessed" by those in power,
much tougher to shut down.


% trusting a for-profit business like VeriSign, for good reasons. There can=
 be

Same here, particularly for my encryption :-)


% always someone with more money willing to buy false certificates and the

Yeah, that too.


% like. And then, it's a central point of failure. But I just see that GPG/=
PGP
% users as islands in a huge ocean of apathic users.

Then get out there and get 'em motivated!  Evangelize, sing the praises,
use gpg wherever you go, and don't miss a chance to tell someone about
it, especially if you can show how it benefits you.

Hmmm...  Where's that "history of pgp" URL again?  That might be a good
thing to hand out; in fact, I have a friend asking me "what's this
digital signature thing you keep mentioning?" and I should point her to
it.


%=20
=2E..
% > the actual intended user really is the person so described?  The list
% > goes on and on :-)
%=20
% As I said, it wouldn't fit high-security requirements, but at least it wo=
uld
% allow for making sure that it's not an easy fake.

Ah.  Fair enough.


%=20
%=20
% > Sounds topical enough to me...
%=20
% Hope so.

*grin*


%=20
%=20
% --David.
%=20
%=20


HTH & HAND

:-D
--=20
David T-G                      * It's easier to fight for one's principles
(play) davidtg@justpickone.org * than to live up to them. -- fortune cookie
(work) davidtgwork@justpickone.org
http://www.justpickone.org/davidtg/    Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


--NO4xtVTk6ycZDAf4
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE8/iWXGb7uCXufRwARAoxXAKDEPCG/uaZQG9F3jVMDeinTprr/7wCgmH0J
tgu1ED4Q/24i0jbPub0Qs84=
=GbnS
-----END PGP SIGNATURE-----

--NO4xtVTk6ycZDAf4--