[Wolves] PGP

Jon Farmer jonfarmer at enta.net
Thu Aug 12 13:34:40 BST 2004 

Peter Cannon wrote:

> On Thursday 12 Aug 2004 12:15, The wise and knowledgeable Jon Farmer 
> proclaimed:
> 
> Right before this degenerates into a slanging match

I thought it was friendly banter :-)


> Lets get real! why the hell would some crook be interested in sending mails to 
> this list or you. If I was a villain who had cough up a couple of grand for 
> an ID or risked prison by stealing one I'd be buggered if I would waste it on 
> some list.

I never suggested that would be a use for a stolen ID what I am trying 
to say is I think a system where all you ultimately trust is yourself is 
better than were you trust a 3rd party.

> I know exactly what you meant by web of trust! but its still the same thing 
> you are trusting others over the www or do you send mails by carrier pigeon?

Not at all. If you have got no sigs on your public key you would be ill 
advised to accept a sig over the internet. Key signing is best done in 
person.


> Your too enamoured with your PGP software take a step back, you create the key 
> yourself correct? just because somebody else uses the same software to 
> produce their key may make them a member of your web of trust it does not 
> mean they are who they say they are period!

Err No. Using the same software is nothing to do with the web of trust. 
Web of trust is all about personal relationships and the conditions 
under which your own personal public key is signed by others.


> I made the suggestion that if your key/ID came from an official recognised 
> body your key/ID would be more trusted than one created yourself even if it 
> is with freebie software that any Joe public can download off the net

Interesting point of view. PGP/GPG is open source and subject to 
stringent 3rd party review. Is this the case with Verisign? If so where 
can I get the source?


> I, and I'm sure others place no confidence in the fact that a group (your web 
> of individuals) all use the same product I'll tell you what I'll get my 
> brother to post you a letter but put my name on it. I take it that will mean 
> its come from me then?

Again I will repeat web of trust has nothing to do with the software 
used. As you correctly say I would not implicitly trust the letter your 
brother posted in your name was from you. The reason? I have no point of 
reference to compare what a letter from you is like in other words you 
are not in my web of trust. Yes your letter has a signature but I dont 
trust it.



> Having said all that you are CORRECT even a verisign ID is not infallable but 
> I still firmly believe verisign is 1000 times better than a home grown 

Nothing homegrown about it. If you search around abit you'll see many 
eminent cryptographers extol the virtues of PGP.

I would like to finish of by saying I am not trying to personally attack 
anyone here. I am finding this debate quite stimulating and hope 
everyone else will take it in the same spirit.

Regards


Jon


-- 
Jon Farmer
Systems Programmer
Entanet International Ltd
GPG Fingerprint ABCB 6E92 59B8 001F FE9C  0817 A2D6 0151 FF49 9040
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://mailman.lug.org.uk/pipermail/wolves/attachments/20040812/a274246b/signature.bin

More information about the Wolves mailing list