Web of trust

David Picón Álvarez eleuteri@myrealbox.com
Wed Jun 5 17:36:02 2002

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit


% As far as I know, it's up in wwwkeys.eu.pgp.net and in pgp.mit.edu
% You can search for eleuteri@myrealbox.com

> Hmmm...  I tried both of those from my long list of keyservers; in fact,
> the first is my default.  I get:

> (well, OK; I gave it a few *minutes* while doing something else the other
> day and *then* killed it).  Is your key 10F4B2AA the one that's up on the
> servers?

Most certainly it is. This is my long key ID just in case:

As far as I know, I have no trouble donwloading it. If you want I can send
it to you by mail.

> You might, just to be sure, make sure of which key you're using to sign

I know what I sign with, both because I have set it with the long ID in the
options file and because I have to enter the passphrase and because I see
the verification when the mails come back :-)

> Aside from the occasional *UG meeting nearby where bringing keys on
> floppies "just in case" is pretty standard, I haven't, either.  I was
> happy to see a couple of resources posted; I'll read up on them myself.

They look like they're potentially useful, especially in the very developed
areas like Germany or US, and in the big cities.

> Fair enough.  I haven't bothered to look; I presume such keys have lots
> of signatures on them and you can download *those* public keys from the
> servers so the whole thing settles out, right?

Yep. Moreover, if such a key would be faked, we would know very fast, I
think. In some of the links I've followed from biglumber, there is a lot of
talk about the "strongly connected set" of keys where you can trace pretty
much a lot of the crypto experts and other people too.

> Easier for me to not be confused by local vs exportable sigs, but in
> general (and perhaps in my naivete!) I agree.

I think local sigs are neat because they don't devalue my signature in the
outer world, and they don't force me to answer annoying questions al the
time. I like scripting things to the maximum possible extent.

% because of lack of people. What fired me off is a new EU directive that
% allows states to commit intrusions in people's privacy. But a security

> Yep.  That's the sort of thing that gets people riled up.

I hope many more people get.

% as GnuPG, fine as it is, is useless without enough support, because in
% effect, you depend on the other end for being able to use it.

> Right.  Not an unfair assessment, though also not necessarily as black as
> it seems.

Well, I guess things may change while awareness grows.

% I think there are many good things to say about the p2p approach as you
% it. It's much harder to fake and so on. And I'd have serious doubts about

> Right -- and, in the case of something not "blessed" by those in power,
> much tougher to shut down.

True enough, though keyservers are shutable.

% always someone with more money willing to buy false certificates and the

> Yeah, that too.

Especially that, as far as I'm concerned. Moreover, it looks like there
security procedures kind of suck. At least I know of several instances of
VeriSign not being careful enough.

% like. And then, it's a central point of failure. But I just see that
% users as islands in a huge ocean of apathic users.

> Then get out there and get 'em motivated!  Evangelize, sing the praises,
> use gpg wherever you go, and don't miss a chance to tell someone about
> it, especially if you can show how it benefits you.

The fact that it doesn't have a beautiful UI for Windows doesn't help. I
like command-line tools but it's hard to convince my friends to bother with
them. Of course there are front-ends, and I suppose that will gain GnuPG
many more users.

> Hmmm...  Where's that "history of pgp" URL again?  That might be a good
> thing to hand out; in fact, I have a friend asking me "what's this
> digital signature thing you keep mentioning?" and I should point her to
> it.


> Ah.  Fair enough.

If anyone is interested in creating something like this, do contact me.


Content-Type: application/pgp-signature
Content-Disposition: inline

Comment: This message is digitally signed and can be verified for authenticity.