Delete key from keyserver

[Neil Williams]

On Saturday 22 October 2005 9:20 pm, zvrba at globalnet.hr wrote:
> > The web of trust enables such verification - if you can't meet me in
> > person, you can verify my key by having your key signed by someone who
> > has met me (there are lots).
> >
> > Until that happens, you have no way of trusting that this key belongs to
> > the named person. None. The signature simply means that the message has
> > not been tampered since being signed.
>
> I have few objections to this.

Objections don't change the reality. No-one but you can trust your key.

> 1. meeting in person is not scalable. having to meet in person (or even
>    hear each other over the phone) everyone that I want to communicate
>    with is a hassle.

As I said, you can verify my key via someone else. Once your key is in the 
"strong set" this becomes a lot easier. I regularly come across keys used on 
this list that are instantly verified by the web of trust.

The web of trust is scalable - you just need the opportunity to get 
signatures. This is an area where we largely make our own opportunities.

I have not met everyone I can trust via the web of trust. From David's stats, 
I have 20 or so signatures that link within the main set and I can trust some 
1400 keys that way.

> 2. WoT is problematic in that it is very sparse.

In certain areas, maybe. The only solution to that is to get more keysigning 
done.

> For example, try to 
>    find a path from my key by which I've signed this mail to somebody
>    you trust. 

? That key has NO signatures other than yourself! There's no way anyone can 
trust it. There are NO paths.

Instead, try looking for a path from Werner to me, or Jason Harris or some of 
the Debian developer keys.

http://www.cs.uu.nl/people/henkp/henkp/pgp/pathfinder/
http://www.lysator.liu.se/~jc/wotsap/search.html

See also these images of my keyrings:
http://www.dcglug.org.uk/linux_uk/dclugkeyring.png
http://gnupg.neil.williamsleesmill.me.uk/personal.png

>    My problem is that I can't find another GPG user whom I can 
>    meet in person and arrange key signing.

Sorry to hear that but how hard have you tried? Have you travelled to 
somewhere that other key users might be expected to gather, like exhibitions 
or Linux meetings? Do you have a LUG in your area and have you joined? You 
aren't listed on biglumber so that's one avenue you haven't tried.

"Sorry, no matches were found.
That key has not been added to biglumber yet. Below is a list of user IDs from 
their key: you may wish to contact them and ask that they add themselves. 
Zeljko Vrba (UNIST-OSS) <zvrba 'at' oss.unist.hr>"
http://www.biglumber.com/x/web?mp=1

The way the web of trust works is that small, local, groups (like a LUG) sign 
each other's keys. At some point, one LUG member travels outside the local 
area and meets other key users at an exhibition etc. That keysigning links 
the small, isolated, ring into the main keyring. As this repeats, more and 
more strands are added to link the local group more and more tightly to the 
main "strong set". The strong set represents the keys that are closest to 
each other across the entire keyring and is populated by lots of package 
maintainers for the various distributions like Debian (because we use keys to 
authenticate uploads) and leading lights in the GnuPG/PGP and GNU world - 
like Werner, Peter Palfrader, Martin Michlmayr and Richard Stallman

> And the final 'objection' is more of a philosophical one: what is IDENTITY?

For keysigning, that is:
1. Verify the physical person by a method of photographic ID that is widely 
accepted, e.g. passport.
2. Verify the fingerprint of the key using a print out given to you by that 
person face to face.
3. Verify the email address (possibly using tools like cabot).

> If I know a person only by email, then that email *is* the person to me.

No. It's just an email address - there could be any number of people with 
access to that email inbox.

What you need to verify is the person with access to the private key.

> And I know many people just by email and we are probably never going to
> meet IRL, except for some strange coincidence.

Same here, it hasn't stopped me getting lots of signatures.

> Imagine a situation like this: suppose that, hypothetically, I find two
> different keys on the key server named to "Neil Williams
> <linux at codehelp.co.uk>", each with some number of signatures (let's say
> almost equal).

That's not hard, I have a second key with similar signatures.
See 0xA897FD02.

> If none of these keys has a path of signatures that leads to 
> some person that I personally trust to sign keys properly.. how am I to
> decide WHICH of these keys is the "real" one?

You cannot. You need to verify the person behind the key, either directly or 
via someone who HAS signed your key.

> And most of the time I'm not really that concerned about communicating
> with "the real" Neil Williams,

The point is that verification is important for encryption and verification of 
package uploads. Email signatures are often just tamper-evidence.

Keysigning is testifying to the world that you have verified the person, the 
fingerprint and the email.

> but more with the fact that some set of 
> mails came from the *same person* that happens to (rightfully, or not)
> claim that his name is Neil Williams.

That is all you can judge with your key as is.

If you want a formalised external method of identity verification, consider 
using x.509 and people like Thawte will provide an alternative to GnuPG's 
personal (face-to-face) methods.

-- 

Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20051022/e7fe1d52/attachment.pgp