Why CAs or public keysigning?

Anthony E. Greene agreene@pobox.com
Wed Jun 18 23:36:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18-Jun-2003/13:15 +0200, "Peter L. Smilde" <peter.smilde@smilde-becker.net> wrote:
>
>But what, when I (or my trustworthy friends) don't have direct contact
>with a person and his key has only been signed by CAs or by persons he
>only has met on a public keysigning-party (case 4)? That means that his
>key has been signed by persons, that I cannot ask personally if the
>person they checked really is the person I expect him to be (like case
>2) and I cannot recognise any relationship to him (like case 3). Then I
>only know (to the extend as anybody can check IDs and to the extend as I
>trust the signer), that the person who owns the key really has the name
>in the UID. But how do I know that the key belongs to the person I want
>to communicate with, in face of the fact that many names are not quite
>unique?

You could ask the CA or other keysigner if the key owner is the person you
expect. They may not be able to confirm that for you. It is likely that
you will have to confirm that yourself, outside of the WoT.


Tony
- -- 
Anthony E. Greene <mailto:Anthony%20E.%20Greene%20%3Cagreene@pobox.com%3E>
OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26  C484 A42A 60DD 6C94 239D
AOL/Yahoo Messenger: TonyG05    HomePage: <http://www.pobox.com/~agreene/>
Linux. The choice of a GNU generation <http://www.linux.org/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Anthony E. Greene <mailto:agreene@pobox.com> 0x6C94239D

iD8DBQE+8NsOpCpg3WyUI50RAozeAJ4rysM1Yqn0+w2cDFFa34tlY76UAACg0HGj
DIyc7zxUDFjodV6fpcVp/V0=
=VGxO
-----END PGP SIGNATURE-----