Virtual Keysignings

Ingo Klöcker
Sun Jun 8 21:00:06 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Sunday 08 June 2003 15:05, CL Gilbert wrote:
> I think the difference would be that I admit I am no notary public.=20
> But others do not.  Is a drivers license good enough for you?

No. I wouldn't accept a driver's license. But I would accept a passport.=20
Of course, it would probably be easy to fool me with a foreign=20
(non-German) passport because I don't know what most foreign passports=20
look like it.

> they can be faked you know.

Every official document can be forged so that a layman can't tell the=20
difference. But are signatures on an OpenPGP key worth the risk?

> Do you have any training on determining fakes?


> What good is a first and last name to you anyway? Their are 1000s of
> people with the same. Its only important that the carl gilbert that
> paid you for the work, is the carl gilbert you give the work too.  At
> least I think so.=20

You forgot the email address. Together with the email address you get a=20
one-to-one relation between keys and people (at least for those keys=20
that have a signature you trust).

Let's say I want to contact the Carl Gilbert who works at Rigid=20
Software. At the website of this company I find Carl's email address.=20
Unless I also find Carl's OpenPGP key on the company's website, I then=20
look for his key on the keyservers. If I now find one or more keys then=20
I check the signatures of those keys. If there's a key that is signed=20
by someone I trust then I assume that I found the correct key. That's=20
exactly how the web of trust works. It allows me to use keys that have=20
been signed by people I trust. I don't have to check all keys myself.


Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.2 (GNU/Linux)