Web of Trust (a revolution)
Bill Crawford
billcrawford1970 at gmail.com
Tue Mar 31 14:23:08 UTC 2009
On Tuesday 31 March 2009 15:01:42 Anne Wilson wrote:
> On Tuesday 31 March 2009 13:16:42 Tim wrote:
> > On Tue, 2009-03-31 at 12:27 +0100, Bill Crawford wrote:
> > > Ought to be possible for people to visit companies' offices and sign
> > > their keys, and add them to the "web of trust" as per PGP / GPG keys.
> > > No idea if / how that should be done, in practice, though.
> >
> > Actually, I'd like to be able to do something like with banking (go into
> > the branch, and physically confirm keys used for banking). For the one
> > or two people that I've used encrypted mail with, I exchanged keys in
> > person.
>
> Bear in mind that the Public Key is intended to be just that - public. It
> is useless to anyone else as only you have the Private Key that forms the
> pair, so there is no problem at all about the public key being accessible.
> It can *only* be used to compare against your signature. It cannot be used
> in any attempt to pretend to be you.
Yes, but the point is, without taking that verification step, you've no way of
being confident that the key you see with name "X" on it actually belongs to
the person you communicate with named "X". The steps he's outlining go a long
way towards avoiding "man in the middle" attacks, because he won't be fooled by
a key with the same name "X" on it, but different. Well, not if he checks the
key fingerprint anyway :o)
More information about the users
mailing list