key-signing for pseudonyms

Jeff Fisher jeff+gnupg at jeffenstein.org
Thu May 20 14:19:24 CEST 2004


On Thu, May 20, 2004 at 01:46:27AM -0400, Atom 'Smasher' wrote:
> 
> seems like he's describing robot-ca. another suggestion is just widely
> publishing the fingerprint, such as in an email header.
> 
> i agree with him on one level... but on another level it's precisely that
> "excessive analness" that makes the WOT so respected. if keysignings were
> routinely done in a casual and haphazard way, then the distributed trust
> model would quickly fall apart, or at least lose credibility.
> 
> i consider the WOT to be a great thing, but maybe it's just not for
> everyone... there are certainly groups of users that exist outside of the
> WOT and probably have no need for keysigning. there are also people who
> can just publish their fingerprint (or just key IDs) prominently and
> that's "good enough"....

What I got out of it is that for the vast majority of users, a WOT adds no
tangible benefit.  Only for specific, smaller applicataions does a WOT add any
real value.  For example, transferring documents between two companies, if
there are strong links between the two webs of trust withing the companies,
employees will be able to send encrypted documents and information between the
two companies with confidence.

> 
> if someone wants to use pgp without becoming part of the WOT, they can...
> which achieves a goal of "setting novice users free from the burden of
> understanding certification and trust models".

This is true, and is how probably 90% of the users of PGP use it.  However, if
I want my key trusted on this list, the current thinking is (correct me if I'm
wrong) that I'll need to go to a keysigning party, and verify my real identity
with another trusted member of the list, or somebody well within this public
WOT. However, in practical terms, it is very likely that a keysigning is the
only place I would meet another list member in person, and almost impossible
that another list member would rely upon this trust for anything outside of
e-mail conversations.

I get the impression that Phil is in favor of many smaller, tightly knit webs
of trust, like my example above -- where identity is firmly established using
formal methods, and a loosely knit public web(s) of trust, where identity only
needs to be loosely established, and formal methods (identifying via passport
in person, etc) are not needed.

YMMV

-- 
jeff at jeffenstein.org                  http://www.jeffenstein.org/
I was in a beauty contest once.  I not only came in last, I was hit in
the mouth by Miss Congeniality.
		-- Phyllis Diller
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 793 bytes
Desc: not available
Url : /pipermail/attachments/20040520/a6dd39e6/attachment.bin


More information about the Gnupg-users mailing list