Web of trust

David T-G davidtg-gnupg@justpickone.org
Wed Jun 5 16:51:02 2002

Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

David --

=2E..and then David Pic?n ?lvarez said...
% Hi,


% > BTW, I cannot find your key.  Is it up on a keyserver anywhere?
% As far as I know, it's up in wwwkeys.eu.pgp.net and in pgp.mit.edu
% You can search for eleuteri@myrealbox.com

Hmmm...  I tried both of those from my long list of keyservers; in fact,
the first is my default.  I get:

  [-- PGP output follows -- Wed Jun  5 09:27:41 2002 --]gpg: Signature made=
 Wed Jun  5 17:23:37 2002 EST using ELG key ID 10F4B2AA
  gpg: requesting key 10F4B2AA from HKP keyserver wwwkeys.eu.pgp.net

  gpg: Interrupt caught ... exiting
  ^@[-- End of PGP output -- The following data is signed --]

The interrupt is where I have to hit ctrl-c because it never resolves
(well, OK; I gave it a few *minutes* while doing something else the other
day and *then* killed it).  Is your key 10F4B2AA the one that's up on the

% There are a couple of bogus IDs from my initial experimentation that cont=
% fucked up characters and so on, because my surname is not actually Picon
% Alvarez but Pic=F3nn =C1lvarez, so that caused me a bit of trouble.

You might, just to be sure, make sure of which key you're using to sign :-)

% > Fair enough.  It helps to go to key signing parties and to make phone
% > calls for verification (though that only tells you that the speaker is
% > the person whose key you have), but it certainly can be difficult to get
% > "tied in".
% I haven't heard of any keysigning party in the are where I am. I study in
% Leeds/UK, and I'll be on holidays back home in my dear Spain :-) but I
% haven't found those kind of events around.

Aside from the occasional *UG meeting nearby where bringing keys on
floppies "just in case" is pretty standard, I haven't, either.  I was
happy to see a couple of resources posted; I'll read up on them myself.

% About phone verification, it's certainly good enough as far as I'm
% concenred.

Yeah; that's about as sure as I need to get, too.

% > That sounds like a good start.  I suppose you find that preferable to t=
% > "are you sure you want to use this untrusted key?" questions; my choice,
% > on the other hand, is to not sign, even locally.
% I only locally sign such keys as Zimmerman's, ESR's or the like, which are
% backed by lots of people and would be damned hard to keep faked. At any

Fair enough.  I haven't bothered to look; I presume such keys have lots
of signatures on them and you can download *those* public keys from the
servers so the whole thing settles out, right?

% rate, the question or a local signature don't seem to make a hell of a
% difference as far as I can see.

Easier for me to not be confused by local vs exportable sigs, but in
general (and perhaps in my naivete!) I agree.

% > I would hope that, quite on the contrary, cryptography is growing more
% > and more popular; here in the States, at the very least, there are more
% > and more people getting ticked off at government privacy invasion who a=
% > picking up crypto simply out of defiance.
% I don't think that's going on in Europe. I used to have a pgp key when RSA
% was in use, I used to have keys all the way through, but I rarely used th=


% because of lack of people. What fired me off is a new EU directive that
% allows states to commit intrusions in people's privacy. But a security to=

Yep.  That's the sort of thing that gets people riled up.

% as GnuPG, fine as it is, is useless without enough support, because in
% effect, you depend on the other end for being able to use it.

Right.  Not an unfair assessment, though also not necessarily as black as
it seems.

% > authority like VeriSign; it's easy to trust them, and then you can trust
% > anyone who bought one of their certificates.  Others still favor the
% > pgp/gpg "peer to peer" approach, you might call it.
% I think there are many good things to say about the p2p approach as you c=
% it. It's much harder to fake and so on. And I'd have serious doubts about

Right -- and, in the case of something not "blessed" by those in power,
much tougher to shut down.

% trusting a for-profit business like VeriSign, for good reasons. There can=

Same here, particularly for my encryption :-)

% always someone with more money willing to buy false certificates and the

Yeah, that too.

% like. And then, it's a central point of failure. But I just see that GPG/=
% users as islands in a huge ocean of apathic users.

Then get out there and get 'em motivated!  Evangelize, sing the praises,
use gpg wherever you go, and don't miss a chance to tell someone about
it, especially if you can show how it benefits you.

Hmmm...  Where's that "history of pgp" URL again?  That might be a good
thing to hand out; in fact, I have a friend asking me "what's this
digital signature thing you keep mentioning?" and I should point her to

% > the actual intended user really is the person so described?  The list
% > goes on and on :-)
% As I said, it wouldn't fit high-security requirements, but at least it wo=
% allow for making sure that it's not an easy fake.

Ah.  Fair enough.

% > Sounds topical enough to me...
% Hope so.


% --David.


David T-G                      * It's easier to fight for one's principles
(play) davidtg@justpickone.org * than to live up to them. -- fortune cookie
(work) davidtgwork@justpickone.org
http://www.justpickone.org/davidtg/    Shpx gur Pbzzhavpngvbaf Qrprapl Npg!

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.7 (GNU/Linux)