Web of Trust (a revolution)
Tim
ignored_mailbox at yahoo.com.au
Mon Mar 30 11:47:49 UTC 2009
On Mon, 2009-03-30 at 11:23 +0100, Anne Wilson wrote:
> If you examine my key you will see that it is signed by a number of
> people who have properly verified that I am who I say I am. This is
> essential for the web of trust to work, but frankly it is not
> understood by many people, and I've seen conversations where people
> will sign anyone's key. The whole web of trust falls apart when this
> happens.
Looking at your key, using the seahorse program, I can see nothing that
gives me any indication that the signers have checked anything, only a
list of names of who the signers are. Not very helpful... You'd have
to use something else to see certification levels, e.g. command line
tools. Of course the indicator will only be that person X *says*
they've checked you out. There's nothing to enforce them being
truthful.
As you say, some will sign anything willy nilly. The web of trust is
really only useful with people that you actually know. You can't make
any assumptions just because a key is counter-signed. A third party's
referral is useless. The only third party that you could trust would be
some service that you know refuses to sign keys without adequate
verification, assuming that there is one, and that you know of their
reputation.
--
[tim at localhost ~]$ uname -r
2.6.27.19-78.2.30.fc9.i686
Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.
More information about the fedora-list
mailing list