trusting public keys

[Nifty Hat Mitch]

On Sun, Sep 19, 2004 at 03:32:47PM +0200, Björn Persson wrote:
> Jeff Lee wrote:
> 
> >Would it be a safe bet for me to go ahead and mark people that I recieve 
> >email from on this list as trusted with gnupg?  I realize that I shouldn't 
> >*sign* the key without meeting people or thoroughly checking out their 
> >identity.  However, as far as I'm concerned you all should match your 
> >email addresses that your posting with.
> 
> Make sure you understand the difference between a trusted person and a 
> valid key. The ownertrust values are used when calculating how valid 
> keys are. Someone's signature on a key can make the key valid, but only 
> if you trust the person who signed it. So you mark a person as trusted 
> if you're confident that he/she has no malicious intent and that he/she 
> knows to check that a key is authentic before signing it.
> 
> To be able to verify that one email is from the same person as another 
> email, sign the key is what you want to do. I suggest that you make a 
> non-exportable signature (that is, for your own use only), and when 
> asked how well you have checked the key you choose "1", which is 
> recommended for pseudonyms.

In many cases you want to use keys to verify that a person today is
the same person that you exchanged messages with in the past.  In such
cases you 'should' add this person to your keyring as it were.

This is what Björn outlined in his last paragraph above.

This identity digital signature/key thing is going to be increasingly
important for people and for systems.   We should pay attention.

Of interest there is a push by Microsoft and others to push an mail
server identity protocol that is not fully "public domain" going on.
IT organizations are rushing to adopt because it might solve some
liability problems but the side effects for normal people are
not clear to me at this time.



-- 
	T o m  M i t c h e l l 
	In the USA, vote informed, second Tuesday Nov 2004.