Web of trust
David Picón Álvarez
eleuteri@myrealbox.com
Wed Jun 5 17:36:02 2002
--n4g_y1fZ.5XiMkIG0nnxfhpcRy8C.PaU
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi,
% As far as I know, it's up in wwwkeys.eu.pgp.net and in pgp.mit.edu
% You can search for eleuteri@myrealbox.com
> Hmmm... I tried both of those from my long list of keyservers; in fact,
> the first is my default. I get:
[snip]
> (well, OK; I gave it a few *minutes* while doing something else the other
> day and *then* killed it). Is your key 10F4B2AA the one that's up on the
> servers?
Most certainly it is. This is my long key ID just in case:
3AEBB405FB0BC8E35E1A47788572E22610F4B2AA
As far as I know, I have no trouble donwloading it. If you want I can send
it to you by mail.
> You might, just to be sure, make sure of which key you're using to sign
:-)
I know what I sign with, both because I have set it with the long ID in the
options file and because I have to enter the passphrase and because I see
the verification when the mails come back :-)
> Aside from the occasional *UG meeting nearby where bringing keys on
> floppies "just in case" is pretty standard, I haven't, either. I was
> happy to see a couple of resources posted; I'll read up on them myself.
They look like they're potentially useful, especially in the very developed
areas like Germany or US, and in the big cities.
> Fair enough. I haven't bothered to look; I presume such keys have lots
> of signatures on them and you can download *those* public keys from the
> servers so the whole thing settles out, right?
Yep. Moreover, if such a key would be faked, we would know very fast, I
think. In some of the links I've followed from biglumber, there is a lot of
talk about the "strongly connected set" of keys where you can trace pretty
much a lot of the crypto experts and other people too.
> Easier for me to not be confused by local vs exportable sigs, but in
> general (and perhaps in my naivete!) I agree.
I think local sigs are neat because they don't devalue my signature in the
outer world, and they don't force me to answer annoying questions al the
time. I like scripting things to the maximum possible extent.
% because of lack of people. What fired me off is a new EU directive that
% allows states to commit intrusions in people's privacy. But a security
tool
> Yep. That's the sort of thing that gets people riled up.
I hope many more people get.
% as GnuPG, fine as it is, is useless without enough support, because in
% effect, you depend on the other end for being able to use it.
> Right. Not an unfair assessment, though also not necessarily as black as
> it seems.
Well, I guess things may change while awareness grows.
% I think there are many good things to say about the p2p approach as you
call
% it. It's much harder to fake and so on. And I'd have serious doubts about
> Right -- and, in the case of something not "blessed" by those in power,
> much tougher to shut down.
True enough, though keyservers are shutable.
% always someone with more money willing to buy false certificates and the
> Yeah, that too.
Especially that, as far as I'm concerned. Moreover, it looks like there
security procedures kind of suck. At least I know of several instances of
VeriSign not being careful enough.
% like. And then, it's a central point of failure. But I just see that
GPG/PGP
% users as islands in a huge ocean of apathic users.
> Then get out there and get 'em motivated! Evangelize, sing the praises,
> use gpg wherever you go, and don't miss a chance to tell someone about
> it, especially if you can show how it benefits you.
The fact that it doesn't have a beautiful UI for Windows doesn't help. I
like command-line tools but it's hard to convince my friends to bother with
them. Of course there are front-ends, and I suppose that will gain GnuPG
many more users.
> Hmmm... Where's that "history of pgp" URL again? That might be a good
> thing to hand out; in fact, I have a friend asking me "what's this
> digital signature thing you keep mentioning?" and I should point her to
> it.
Luck.
> Ah. Fair enough.
If anyone is interested in creating something like this, do contact me.
--David.
--n4g_y1fZ.5XiMkIG0nnxfhpcRy8C.PaU
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Comment: This message is digitally signed and can be verified for authenticity.
iQQXAwUAPP6g8YVy4iYQ9LKqFAL4bw//ScSXADwQ4oYAyGZJQdHZS/JJM5DHS5tE
Xc4NOQRZVGqvyGFVgicG0oO6KT7qE2sCEVMdVkou1+strkJtyWIz9XkVk4QRDWHz
I8190fcTQOq9jdBmH5yQKZP1Y0h0C/xuKB5DUWG3FauiPnX6F7WBymuwEmFlM+m/
nslu6e1pD2MVi9f7aPHOUaNdSHHK97U27iK6QeCMJXIXVGg+2gb9kO2/mgMVSb9w
FWP/uvp+AbRehDIgaPJj/kpxpfVGg7Woc5LkATLH4P2C22QIxz/BArfdHKBtk+Um
I3yjm+KDSyA1/9v6EVPdxI9nAXTfIsIuzf/7XK9OD0nLXQ39k38mKvTdiL0fciI5
Lbiz8xB+13/fKCkUF0CA3wzuRVdBk/bmuuyd1r17+8tI8LwQbiF7k8KmpeiIZY8Z
sagKZkX2pM/glMz/6yzXLxinibcq+vAyq54RUJu6TYVd4oHzUygS1tmur5JE3HZy
sSTHDt8NADL9zh0r1qgdTlUAe6CxXaznGVXk6psVvRQ5cq8EssWIZv+WHCFK4K9r
nGE6W/NuYQcgsnNSSPEy42HVs4NWRFrElSBtT5aGJ5JmKkYTXdeeEqb6kJKr/dYa
5rWuSL5neck22JsCs5AhlPFoLFKWYe5nAyAgqz1bRZVV8giDURrSrBzQIOwEMfGy
ZlC6JP7UT/UQAKDIjp2L7x+UrIKLVfKfDu+mKULRcZ8A7dQSLqRB5HAZHp8SHwXX
n5IUNtthVuL3vy2C6kUG6u2ASEQA/wSGdC6OdL9p+9xeODD1N5nrSQ7Wfhi7Z+Op
N5nJl5skJh3Ni3Y4sohhr8QT6fM5ukd/2UZoG+jrYpeUwYoLzZpT/ayhsnJweu4N
xlgRshldf8I/UCUytEuCnR4ZNDm0JI08PhvT++3tor0iPv4JvHdiaarx3vi1nFiV
n+cb7Geg7lGgaughjFvP5A34W8mubC6Fb85BQzA9iHUwtaNM8BBb2mSArLNRuLNN
kSsUjvYaL3ZN/oxpbgIPqMAT7FB17TZc5L1MfA5ngIc666c4YcXfgjmevSbTzM48
IETrViKk55l5yYtO3RQdXzmYwp55inrmZvzcVQoUQgdOlqY8YmY+w5B46fD2wHfB
wdoxIbafGxWA9CChXVji2yVNgKRQXi1hKj9BVBjLkCNdRw56NNL6tlOFLvMityEQ
cgIc9gyFTtNfujdD3GX3Dh/E0c60AKKrMFRGmXBn10nTwzpFOgW8bzXgCJYKIKS0
WBAy4He62M3lNDfLg25QP8U5pr1RYhZhdW+SlESZMNlsEYhfoBRzpGR8AgOp3vFY
tCXHFuXBTbBBo93M0AhWlEmhiA6dQasfqhyJQwKo3sIxC7+GDJLrUAC8
=5CrY
-----END PGP SIGNATURE-----
--n4g_y1fZ.5XiMkIG0nnxfhpcRy8C.PaU--