Why CAs or public keysigning?
Thu Jun 19 03:25:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
The odds of you knowing someone who knows someone you know (three
steps) are surprisingly high (at least in the US). I believe at last
check the odds were around 1:100. Given that, you may receive a key
that has been signed by someone you know or at least trust to verify
the key in question.
Just because a key is signed with 100 signatures of people you don't
know means nothing to you. But if one of those 100 signatures is by
someone you know and trust -- that key is valid to you.
"Trust", in the PGP sense, is a personal, subjective level you assign
to a person (represented by their key) when you know they
conscientiously verify keys.
"Validity" is a measure of a key's authenticity based on the trust of
Personally, I assign no trust to anyone, because I have yet to meet
anyone as conscientious in verifying keys as I am. Surely, there are,
but I don't know them yet. Should I meet and observe someone verifying
keys on a consistent basis over a period of time, I will increase their
trust level, but for now, I only consider valid those keys which I have
personally verified and signed.
Think of a trusted person as equivalent to a notary public. Just as a
State considers valid those documents witnessed and signed by a notary
public, so would you consider valid those keys signed by those you
trust. In the WoT model, it's not a matter of the State granting trust,
Regarding public key signing parties, all they do is increase the odds
that you encounter a key signed by someone you trust. A CA is just
another "trusted" third person.
On Wednesday, June 18, 2003, at 04:15 AM, Peter L. Smilde wrote:
> But what, when I (or my trustworthy friends) don't have direct contact
> with a person and his key has only been signed by CAs or by persons he
> only has met on a public keysigning-party (case 4)? That means that his
> key has been signed by persons, that I cannot ask personally if the
> person they checked really is the person I expect him to be (like case
> 2) and I cannot recognise any relationship to him (like case 3).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
-----END PGP SIGNATURE-----