From: dmandl@lehman.com (David Mandl)
Date: Mon, 12 Jul 93 06:50:48 PDT
To: mdiehl@triton.unm.edu
Subject: Re: Radical Paranoia?
Message-ID: <9307121350.AA06834@disvnm2.shearson.com>
MIME-Version: 1.0
Content-Type: text/plain


> From: J. Michael Diehl <mdiehl@triton.unm.edu>
> 
>      Lets say someone emails me a key and the return address matches that of
> the address in the key.  Do I assume no one is spoofing me?  You have to
> admit that this is possible albeit unlikely.  What good is key certification
> if it only "probably valid?"  I've noticed that many of the keys on the
> server are signed with the same person's key.  I doubt that these people
> have had physical contact with each of the people who's key that they've
> signed.  Am I just being paranoid, or is there a valid issue here?  I
> welcome any of your comments.

Anything is possible.  It's best to play it VERY safe when it comes to
certifying or accepting keys.  The ideal thing is to accept only keys
that have been signed by a key you know to be good.  Start with a key
that's been handed to you personally (or that you are absolutely certain
is legit), and work from there.

Some folks (bless them) have signed oodles of keys and are very trustworthy;
if you can work through the web to them eventually (being careful along
the way about who you trust as a certifier), you'll eventually have a windfall.

No, most people on the public servers have probably not met face to face;
they've worked their way to each other using trusted signatures and certifiers.
Just be careful about who you trust.

   --Dave.