How to better start a web of trust

Neil Williams linux@codehelp.co.uk
Mon Jul 14 23:36:02 2003


--Boundary-02=_7exE/pM7tF1W4OY
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Monday 14 Jul 2003 8:21 pm, Renat Golubchyk wrote:
> I'm a newbie here so I have a pretty straight-forward question.
>
> None of my friends, relatives etc. signs or encrypts their messages - the
> only signed messages I ever see come from various mailing lists. I'd like
> to check the signatures of these mails, though. So it brings up some

With a suitable installation of GnuPG/PGP/client, your email client can che=
ck=20
the validity of any email signature, whether or not you actually trust the=
=20
key itself - "the signature is valid but the key is untrusted". That's OK, =
it=20
tells you that the email contents have not been altered since the signature=
=20
was added - which is all an email signature can do really. Knowing whether =
or=20
not the email really came from the physical person from whom you THINK it=20
came, that's the job of keysigning.

To check the validity of GnuPG email signatures you basically need:
1. The auto-key-retrieve setting with a suitable keyserver setting in GnuPG
2. An email client configured to use GnuPG.

It's unlikely that you'll ever have a web of trust that incorporates even a=
=20
majority of the people who post here - many are just experimenting with Gnu=
PG=20
and have no signatures on their keys except the default self-sigs added whe=
n=20
the key was created or amended. Much more likely is that you will be able t=
o=20
verify the email signatures of (nearly) every signed post here.

> questions: 1. How to start a web of trust?

Keysigning.

It's not so much starting one but joining the web that already exists. I th=
ink=20
it's fairly rare for someone to have a completely "closed" web, there's=20
usually someone whose key links into a completely different web.

As soon as you have your key signed by someone else, you enter the web of t=
hat=20
person. (They usually return the favour). Often, the person who signs your=
=20
key has had their key signed by some other people too. You then become part=
=20
of the web of all those other people.=20

e.g. I arranged a couple of keysignings within my local LUG with about five=
=20
people. (I signed five keys, my key was signed by five keys and so on.) Thi=
s=20
created a fairly isolated web because not many of the five people had other=
=20
signatures on their keys. At a later LUG keysigning event, my key was signe=
d=20
by a LUG member I knew who was part of a large Linux development project an=
d=20
hey presto, the entire local LUG web became part of a much bigger web linki=
ng=20
into a variety of people across the entire open source community (including=
=20
some on this list who I've never even met). Little webs become attached to=
=20
larger webs. The further you get from people you have physically met, the=20
less trust is put on the keys. The more different connections there are, th=
e=20
higher the trust. So if I meet someone at a future event who is part of the=
=20
development of a different Linux project and they are happy to sign my key,=
=20
then the little LUG web becomes a link between two much larger webs and the=
=20
trust in keys common to both webs increases, and so on.

It can seem difficult to get this started if you are on your own using GnuP=
G.=20
Search out a local Linux user group, check out biglumber.com, look at other=
=20
meeting sites (try Google and search for GnuPG keysigning).

So your question is really, where can I find reasonably local people/events=
=20
where a little keysigning is possible? LUG's are a good start.
Also try:
http://www.debian.org/events/keysigning
http://www.linux.org.au/conf/2003/keysigning/www.cryptnet.net/fdp/crypto/gp=
g-party.html
http://www.gnupg.org/gph/en/manual.html#AEN554
http://www.w4kwh.org/privacy/keysign.html
http://www.cryptnet.net/fdp/crypto/gpg-party.html
http://keyserver.kjsl.com/~jharris/keysigning.html

> 2. Is there a need for my relatives/friends to use gnupg (or something
> similar) for their communication?

Not necessarily, although it would make keysignings easier / more local.=20
However, it won't usually lead to your web being joined up with the larger=
=20
web unless you, your friends or relatives meet other users from outside you=
r=20
group, usually through a LUG or special keysigning event as advertised on=20
sites like biglumber.


=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.wewantbroadband.co.uk/


--Boundary-02=_7exE/pM7tF1W4OY
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/Exe7iAEJSii8s+MRAtTBAKCLd+6/jRZdAeFeAsUYisDL5eXA6gCgnZLK
HsVoF+H6W3dHspRYyBIm7Gc=
=5cLv
-----END PGP SIGNATURE-----

--Boundary-02=_7exE/pM7tF1W4OY--