Web of Trust (a revolution)
Aaron Konstam
akonstam at sbcglobal.net
Mon Mar 30 13:55:52 UTC 2009
On Mon, 2009-03-30 at 22:17 +1030, Tim wrote:
> On Mon, 2009-03-30 at 11:23 +0100, Anne Wilson wrote:
> > If you examine my key you will see that it is signed by a number of
> > people who have properly verified that I am who I say I am. This is
> > essential for the web of trust to work, but frankly it is not
> > understood by many people, and I've seen conversations where people
> > will sign anyone's key. The whole web of trust falls apart when this
> > happens.
>
> Looking at your key, using the seahorse program, I can see nothing that
> gives me any indication that the signers have checked anything, only a
> list of names of who the signers are. Not very helpful... You'd have
> to use something else to see certification levels, e.g. command line
> tools. Of course the indicator will only be that person X *says*
> they've checked you out. There's nothing to enforce them being
> truthful.
>
> As you say, some will sign anything willy nilly. The web of trust is
> really only useful with people that you actually know. You can't make
> any assumptions just because a key is counter-signed. A third party's
> referral is useless. The only third party that you could trust would be
> some service that you know refuses to sign keys without adequate
> verification, assuming that there is one, and that you know of their
> reputation.
What is wrong with Verisign?
--
=======================================================================
Freedom begins when you tell Mrs. Grundy to go fly a kite.
=======================================================================
Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam at sbcglobal.net
More information about the fedora-list
mailing list