Web of Trust (a revolution)

Anne Wilson annew at kde.org
Mon Mar 30 12:24:50 UTC 2009


On Monday 30 March 2009 12:47:49 Tim wrote:
> On Mon, 2009-03-30 at 11:23 +0100, Anne Wilson wrote:
> > If you examine my key you will see that it is signed by a number of
> > people who have properly verified that I am who I say I am.  This is
> > essential for the web of trust to work, but frankly it is not
> > understood by many people, and I've seen conversations where people
> > will sign anyone's key.  The whole web of trust falls apart when this
> > happens.
>
> Looking at your key, using the seahorse program, I can see nothing that
> gives me any indication that the signers have checked anything, only a
> list of names of who the signers are.  Not very helpful...  You'd have
> to use something else to see certification levels, e.g. command line
> tools.  Of course the indicator will only be that person X *says*
> they've checked you out.  There's nothing to enforce them being
> truthful.
>
Exactly.  In this case there were all the appropriate checks, but all you can 
see is a list of names, and I suppose you can check that those names are ones 
you have reason to trust, but that's all, and it's a bit vague.  The person 
who signed the key had to produce their own key to sign it, and that key will 
also have signatures of people that have checked his identity, but it does 
depend entirely on the web of trust being respected, carried out to the 
letter.  Which was my point.

> As you say, some will sign anything willy nilly.  The web of trust is
> really only useful with people that you actually know.  You can't make
> any assumptions just because a key is counter-signed.  A third party's
> referral is useless.  The only third party that you could trust would be
> some service that you know refuses to sign keys without adequate
> verification, assuming that there is one, and that you know of their
> reputation.
>
Absolutely.  It would help if the action of signing included some information 
about the act, such as whether it was carried out at a LUG, Conference, or 
some other organisation, so you could come to some decision about its 
reliability, but there is no such thing.  Consequently I am advocating, as you 
are, careful thought about how much credence to put on gpg- (or pgp-) signing.

Anne
-- 
New to KDE4? - get help from http://userbase.kde.org
Just found a cool new feature?  Add it to UserBase
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090330/17bf8f9b/attachment-0001.sig>


More information about the fedora-list mailing list