key question

Grant Olson kgo at grant-olson.net
Sun Feb 28 22:19:28 CET 2010 

> >
> > That isn't how the web of trust works.  Well, it *can* work that way
for you, since you can choose who to trust and who not to, but that's
not the information encoded in there.  I "know" dozens of people on the
net.  I've exchanged encrypted mail with them, I've worked with them, in
some case for years... and I've never met them in person.  For all I
know, they're actually a group of people sharing the same email address
and using a name that looks like a real one, and not obviously
pseudonymous like MFPA.
> >
> > Think about what it really means in the web of trust when you see a
signature.  The signature only maps back to a real person indirectly.
> >
> > David
> >
Good points all.  Here's what I'm thinking.  Imagine I trace path on the
web of trust, like with those pgp pathfinders out there.

Example one:

me ->
user1 at example.org ->
user2 at example.org ->
user3 at example.org ->
you

Now not that it's practical, but I could trace through that.  user1 -
he's an old college buddy.  I ask him how he knows user2.  He's been
sitting in the next cube over from user1 for twenty years.  I ask user2
how he knows user3.  Key-signing party.  A passport and a driver's
license.  I ask user3 how he knows you.  We've been working on some open
source project for years.  I could, not that it's practical to do,
perform additional verification all of these claims.

Example 2:

me ->
user1 at example.org ->
user2 at example.org ->
a at b.c ->
you

User1 same story.  College buddies.  User2.  Same story.  They work
together.  I ask user2 how he knows a at b.c.  He responds that he's not
allowed to disclose the info for privacy concerns.  I ask you how you
know a at b.c.  You give the same response.  Can't contact a at b.c to ask who
he is because it's not a real email.

I would argue that those two examples have much different levels of
indirectness, since I can't conceivably verify the chain in example 2.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100228/a1828f41/attachment.pgp>

More information about the Gnupg-users mailing list