Web of trust

David T-G davidtg-gnupg@justpickone.org
Thu Jun 6 01:34:02 2002

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

David --

=2E..and then David Pic?n ?lvarez said...
% Hi,


% > day and *then* killed it).  Is your key 10F4B2AA the one that's up on t=
% > servers?
% Most certainly it is. This is my long key ID just in case:
% 3AEBB405FB0BC8E35E1A47788572E22610F4B2AA

I tried that and gnupg just turned it back into the short form and then
timed out.  I don't get it; I get keys all of the time (including one
less than an hour ago).

% As far as I know, I have no trouble donwloading it. If you want I can send
% it to you by mail.

I suppose you should.  How very odd indeed.

% > You might, just to be sure, make sure of which key you're using to sign
% :-)
% I know what I sign with, both because I have set it with the long ID in t=
% options file and because I have to enter the passphrase and because I see
% the verification when the mails come back :-)

Well, there you go.  I've been known to sign with the wrong one on
occasion, but not for long, and it seems that you've ruled out even that.

% > happy to see a couple of resources posted; I'll read up on them myself.
% They look like they're potentially useful, especially in the very develop=
% areas like Germany or US, and in the big cities.

Like London, perhaps :-)

% > Fair enough.  I haven't bothered to look; I presume such keys have lots
% > of signatures on them and you can download *those* public keys from the
% > servers so the whole thing settles out, right?
% Yep. Moreover, if such a key would be faked, we would know very fast, I

Makes sense.

% think. In some of the links I've followed from biglumber, there is a lot =
% talk about the "strongly connected set" of keys where you can trace pretty
% much a lot of the crypto experts and other people too.

I haven't gotten that far, but I follow the idea.

% > Easier for me to not be confused by local vs exportable sigs, but in
% > general (and perhaps in my naivete!) I agree.
% I think local sigs are neat because they don't devalue my signature in the
% outer world, and they don't force me to answer annoying questions al the
% time. I like scripting things to the maximum possible extent.

I generally do, too, but don't have any need to script gpg to others
these days.  Perhaps that's why it hasn't been painful for me :-)

% % allows states to commit intrusions in people's privacy. But a security
% > Yep.  That's the sort of thing that gets people riled up.
% I hope many more people get.


% % as GnuPG, fine as it is, is useless without enough support, because in
% > Right.  Not an unfair assessment, though also not necessarily as black =
% > it seems.
% Well, I guess things may change while awareness grows.

Right.  We keep using it anyway, even if it isn't as useful as we would
like, and stay at the edge as it gets more useful.

% > much tougher to shut down.
% True enough, though keyservers are shutable.

Yes, but the WoT doesn't depend on only one and even if they are all shut
down people can still exchange keys, though not quite as conveniently.

% % always someone with more money willing to buy false certificates and the
% > Yeah, that too.
% Especially that, as far as I'm concerned. Moreover, it looks like there
% security procedures kind of suck. At least I know of several instances of
% VeriSign not being careful enough.


% % like. And then, it's a central point of failure. But I just see that
% % users as islands in a huge ocean of apathic users.
% > Then get out there and get 'em motivated!  Evangelize, sing the praises,
% > use gpg wherever you go, and don't miss a chance to tell someone about
% > it, especially if you can show how it benefits you.
% The fact that it doesn't have a beautiful UI for Windows doesn't help. I

Yeah *sigh*  Even I realize that :-)

% like command-line tools but it's hard to convince my friends to bother wi=
% them. Of course there are front-ends, and I suppose that will gain GnuPG
% many more users.

Here's hoping!

% > Hmmm...  Where's that "history of pgp" URL again?  That might be a good
% > thing to hand out; in fact, I have a friend asking me "what's this
% > digital signature thing you keep mentioning?" and I should point her to
% > it.
% Luck.

I read it up again.  While it's quite interesting, it doesn't answer the
more basic questions "what is public-key cryptography?", "how does this
stuff all work?", and "why should anyone bother?".  Maybe I'll write one
if I can't find one :-)

% > Ah.  Fair enough.
% If anyone is interested in creating something like this, do contact me.

Like what?  I went back to my original message and still wasn't sure.

% --David.


David T-G                      * It's easier to fight for one's principles
(play) davidtg@justpickone.org * than to live up to them. -- fortune cookie
(work) davidtgwork@justpickone.org
http://www.justpickone.org/davidtg/    Shpx gur Pbzzhavpngvbaf Qrprapl Npg!

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.7 (GNU/Linux)