How to better start a web of trust

Neil Williams
Mon Jul 14 23:36:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Monday 14 Jul 2003 8:21 pm, Renat Golubchyk wrote:
> I'm a newbie here so I have a pretty straight-forward question.
> None of my friends, relatives etc. signs or encrypts their messages - the
> only signed messages I ever see come from various mailing lists. I'd like
> to check the signatures of these mails, though. So it brings up some

With a suitable installation of GnuPG/PGP/client, your email client can che=
the validity of any email signature, whether or not you actually trust the=
key itself - "the signature is valid but the key is untrusted". That's OK, =
tells you that the email contents have not been altered since the signature=
was added - which is all an email signature can do really. Knowing whether =
not the email really came from the physical person from whom you THINK it=20
came, that's the job of keysigning.

To check the validity of GnuPG email signatures you basically need:
1. The auto-key-retrieve setting with a suitable keyserver setting in GnuPG
2. An email client configured to use GnuPG.

It's unlikely that you'll ever have a web of trust that incorporates even a=
majority of the people who post here - many are just experimenting with Gnu=
and have no signatures on their keys except the default self-sigs added whe=
the key was created or amended. Much more likely is that you will be able t=
verify the email signatures of (nearly) every signed post here.

> questions: 1. How to start a web of trust?


It's not so much starting one but joining the web that already exists. I th=
it's fairly rare for someone to have a completely "closed" web, there's=20
usually someone whose key links into a completely different web.

As soon as you have your key signed by someone else, you enter the web of t=
person. (They usually return the favour). Often, the person who signs your=
key has had their key signed by some other people too. You then become part=
of the web of all those other people.=20

e.g. I arranged a couple of keysignings within my local LUG with about five=
people. (I signed five keys, my key was signed by five keys and so on.) Thi=
created a fairly isolated web because not many of the five people had other=
signatures on their keys. At a later LUG keysigning event, my key was signe=
by a LUG member I knew who was part of a large Linux development project an=
hey presto, the entire local LUG web became part of a much bigger web linki=
into a variety of people across the entire open source community (including=
some on this list who I've never even met). Little webs become attached to=
larger webs. The further you get from people you have physically met, the=20
less trust is put on the keys. The more different connections there are, th=
higher the trust. So if I meet someone at a future event who is part of the=
development of a different Linux project and they are happy to sign my key,=
then the little LUG web becomes a link between two much larger webs and the=
trust in keys common to both webs increases, and so on.

It can seem difficult to get this started if you are on your own using GnuP=
Search out a local Linux user group, check out, look at other=
meeting sites (try Google and search for GnuPG keysigning).

So your question is really, where can I find reasonably local people/events=
where a little keysigning is possible? LUG's are a good start.
Also try:

> 2. Is there a need for my relatives/friends to use gnupg (or something
> similar) for their communication?

Not necessarily, although it would make keysignings easier / more local.=20
However, it won't usually lead to your web being joined up with the larger=
web unless you, your friends or relatives meet other users from outside you=
group, usually through a LUG or special keysigning event as advertised on=20
sites like biglumber.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)