[Wolves] PGP

Thu Aug 12 14:04:10 BST 2004

On Thu, 2004-08-12 at 13:38, Peter Cannon wrote:
> On Thursday 12 Aug 2004 13:19, The wise and knowledgeable fizzy proclaimed:
> > The web of trust works by me saying I am who I am.
> > Then sparkes saying, yup he is who he is.  If you want
> > to check I am who I say I am you follow the path...
> > "oh, if sparkes says who he is he /must/ be who he
> > is".
> 
> A bit thin don't you think? look at the bigger picture. The concept of you 
> sending me a PGP mail is fine I don't know you I've not met you but I know 
> your a member of this list so on that basis and that basis alone I trust your 
> mails.

No, you should not be trusting the emails - that is the point.  It all
about rationale and risk.  Basically, when I read an email on the list,
I tend to assume it is genuine - as there does not immediately appear
to be much to gain from sending fraudulent emails to the list
(especially given that the victim will receive the email).  The whole
point is that you do not trust a key until it is verified over a medium
that you trust.

> This is the point thats being missed, everyone is thinking in terms of the 
> list rather than globally infact we do not need PGP because if I follow the 
> ethos of web of trust we already have that by way of communication with each 
> other via the list eg. wolvs-lug is our ID/key (Know theres a thought)

Actually, this is globally.  This is what I was trying to get across
with the six degrees of separation reference.  "wolves-lug" proves
absolutely nothing, it is trivially spoofed.  Further, if it was not
clear before, let me make it clear now:  the web of trust is a global
thing.  Trust propagates throughout the global community.  For example,
if I meet an associate from Germany, verify who he is and sign his key
and he reciprocates - then the web of trust I am part of now extends to
all the German keys he has previously signed (not to mention any others
he may have signed).  This continues, eventually leading to a complete
*global* web of trust - I thought this would have been implied when I
explained that eventually you could get to *any* key through a series
of keys you trust.

> > Of course, this method too is pretty breakable, unless
> > sparkes has seen my passport etc does he actually know
> > I am who I say I am?
> >
> > But at least the second method is free :)
> 
> I like free but thats the problem because its free everyones got it and 
> everyone thinks they should use it.

Everyone should have and should use it, in order for it to work to it's
full potential.  I admit that it can seem a little pointless when it is
used in instances where trust is not considered an issue (this is why I
personally do not sign mailing list posts).

- Chris