trust your corporation for keyowner identification?

Paul R. Ramer free10pro at gmail.com
Fri Oct 25 02:28:23 CEST 2013


Stan Tobias <sttob at privatdemail.net> wrote:
>Peter Lebbing <peter at digitalbrains.com> wrote:
>> On 24/10/13 01:15, Stan Tobias wrote:
>> > , then why do we believe WoT authenticates anything?  Why do we
>accept, for
>> > example, a conversation by telephone to validate a key fingerprint?
>>
>> Because these are verifications outside the Web of Trust.
>
>Is that the only requirement?  Then I have fantastic news for you!

The idea of using a different channel for confirming key details such as a key fingerprint is really a way of trying to avoid a man-in-the-middle attack on the verification of the key and its UIDs.  It is not entirely foolproof--nothing is.

It isn't any more complicated or foreign than if your friend sends you an attachment in an email and you call him, send him an SMS message, or talk to him face-to-face to confirm that the message was him before you open it.

Cheers,

--Paul 
--
PGP: 3DB6D884



More information about the Gnupg-users mailing list