Delete key from keyserver

zvrba at globalnet.hr zvrba at globalnet.hr
Sat Oct 22 22:20:10 CEST 2005 

On Sat, Oct 22, 2005 at 07:31:54PM +0100, Neil Williams wrote:
> 
> That is exactly my point, NOBODY should rely on ANY of that information to 
> identify a key. The only identifier for a key is the fingerprint. You MUST 
> verify the fingerprint with the person and only then can you be sure that the 
> key is for that person.
>
> The web of trust enables such verification - if you can't meet me in person, 
> you can verify my key by having your key signed by someone who has met me 
> (there are lots).
> 
> Until that happens, you have no way of trusting that this key belongs to the 
> named person. None. The signature simply means that the message has not been 
> tampered since being signed.
> 

I have few objections to this.

1. meeting in person is not scalable. having to meet in person (or even
   hear each other over the phone) everyone that I want to communicate
   with is a hassle.

2. WoT is problematic in that it is very sparse. For example, try to
   find a path from my key by which I've signed this mail to somebody
   you trust. My problem is that I can't find another GPG user whom I can
   meet in person and arrange key signing.

And the final 'objection' is more of a philosophical one: what is IDENTITY? 
If I know a person only by email, then that email *is* the person to me.
And I know many people just by email and we are probably never going to
meet IRL, except for some strange coincidence.

Imagine a situation like this: suppose that, hypothetically, I find two
different keys on the key server named to "Neil Williams
<linux at codehelp.co.uk>", each with some number of signatures (let's say almost
equal). If none of these keys has a path of signatures that leads to some
person that I personally trust to sign keys properly.. how am I to decide
WHICH of these keys is the "real" one?

And most of the time I'm not really that concerned about communicating
with "the real" Neil Williams, but more with the fact that some set of
mails came from the *same person* that happens to (rightfully, or not)
claim that his name is Neil Williams.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20051022/8eb61b88/attachment.pgp

More information about the Gnupg-users mailing list