jonfarmer at enta.net
Thu Aug 12 13:34:40 BST 2004
Peter Cannon wrote:
> On Thursday 12 Aug 2004 12:15, The wise and knowledgeable Jon Farmer
> Right before this degenerates into a slanging match
I thought it was friendly banter :-)
> Lets get real! why the hell would some crook be interested in sending mails to
> this list or you. If I was a villain who had cough up a couple of grand for
> an ID or risked prison by stealing one I'd be buggered if I would waste it on
> some list.
I never suggested that would be a use for a stolen ID what I am trying
to say is I think a system where all you ultimately trust is yourself is
better than were you trust a 3rd party.
> I know exactly what you meant by web of trust! but its still the same thing
> you are trusting others over the www or do you send mails by carrier pigeon?
Not at all. If you have got no sigs on your public key you would be ill
advised to accept a sig over the internet. Key signing is best done in
> Your too enamoured with your PGP software take a step back, you create the key
> yourself correct? just because somebody else uses the same software to
> produce their key may make them a member of your web of trust it does not
> mean they are who they say they are period!
Err No. Using the same software is nothing to do with the web of trust.
Web of trust is all about personal relationships and the conditions
under which your own personal public key is signed by others.
> I made the suggestion that if your key/ID came from an official recognised
> body your key/ID would be more trusted than one created yourself even if it
> is with freebie software that any Joe public can download off the net
Interesting point of view. PGP/GPG is open source and subject to
stringent 3rd party review. Is this the case with Verisign? If so where
can I get the source?
> I, and I'm sure others place no confidence in the fact that a group (your web
> of individuals) all use the same product I'll tell you what I'll get my
> brother to post you a letter but put my name on it. I take it that will mean
> its come from me then?
Again I will repeat web of trust has nothing to do with the software
used. As you correctly say I would not implicitly trust the letter your
brother posted in your name was from you. The reason? I have no point of
reference to compare what a letter from you is like in other words you
are not in my web of trust. Yes your letter has a signature but I dont
> Having said all that you are CORRECT even a verisign ID is not infallable but
> I still firmly believe verisign is 1000 times better than a home grown
Nothing homegrown about it. If you search around abit you'll see many
eminent cryptographers extol the virtues of PGP.
I would like to finish of by saying I am not trying to personally attack
anyone here. I am finding this debate quite stimulating and hope
everyone else will take it in the same spirit.
Entanet International Ltd
GPG Fingerprint ABCB 6E92 59B8 001F FE9C 0817 A2D6 0151 FF49 9040
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://mailman.lug.org.uk/pipermail/wolves/attachments/20040812/a274246b/signature.bin
More information about the Wolves