[Wolves] PGP

Thu Aug 12 12:22:13 BST 2004

On Thu, 2004-08-12 at 11:58, Peter Cannon wrote:
> On Thursday 12 Aug 2004 11:31, The wise and knowledgeable Jon Farmer 
> proclaimed:
> 
> > Err I have to disagree. Passports and driving licences are increasing
> > stolen and forged. Also while I am not suggesting Verisign or any other
> > third party signing authority are not to be trusted they never
> > personally know the person they are digitally signing.
> 
> Without falling out with you your argument doesn't stand up.
> 
> 1. Why on earth would someone send a stolen or faked passport? The point is, 
> to gain that type of signature you will have had to supply documents, most 
> people know you will have had to supply documents (genuine, faked, stolen or 
> forged) and therefore the trust level is stronger than a signature you have 
> written out yourself. its like me saying I'm worth 4 million quid you 
> wouldn't believe me until you saw a bank statement.

They would send a stolen/faked passport to gain a key that says they
are somebody else - and it seems, implicitly gain trust from it.  The
same question can be asked about, "why steal/fake a passport?".

> 2. I don't know you personally so does that mean I shouldn't trust your Sig?

Correct, until you have verified it in person, or it is verified by
somebody who you trust by them signing it.

> > PGP works on a web of trust and is the best method I have ever seen of
> > being certain of an identity. I only ever sign and trust public keys of
> > people I have met in person and have had the key provided to me in
> > person. I would never implicitly trust a verisign identity as I have not
> > control over it whereas if I have signed a key I would implicitly trust
> > it for my use only.
> 
> Woh! Web? Trust? I trust nothing web wise, Viruses, spiders, scripts, addware, 
> rouge sites, blah blah blah!
> 
> The WWW is the best market for malicious evil individuals they can be anyone 
> anywhere and you wouldn't have a clue.

I do not think that "web of trust" particularly refers to the world
wide web, in fact I am certain it does not.  Basically, a web is
created by you verifying somebody's key - assuming you then trust them,
you are able to gain a larger base of trusted keys by keys that they
have signed.  The idea is similar to six degrees of separation (or
whatever it is called) - at some point you will be able to get to any
verified key through a set of keys that you trust.

> > How about a WLUG key signing party sometime.. :-)
> 
> I thought we promoted OPEN, FREE ideals? this smacks of closed selectiveness, 
> no key, no entrance. Looks like I'll be locked out then, :-)

The idea is to create a web of trust, I doubt they are intending to
lock the list or attendance from people who do not possess keys in that
ring.

- Chris