1996-05-09 - Re: Senator Leahy’s Public Key

Header Data

From: “Matt Smith” <msmith@rebound.slc.unisys.com>
To: warlord@MIT.EDU (Derek Atkins)
Message Hash: f1ef7c65dfffc2f74f8077eb68750d390898bffbf06e22bb2fa352bfae8e9e03
Message ID: <199605091408.OAA17613@rebound.slc.unisys.com>
Reply To: <9605081459.AA20668@bart-savagewood.MIT.EDU>
UTC Datetime: 1996-05-09 23:25:19 UTC
Raw Date: Fri, 10 May 1996 07:25:19 +0800

Raw message

From: "Matt Smith" <msmith@rebound.slc.unisys.com>
Date: Fri, 10 May 1996 07:25:19 +0800
To: warlord@MIT.EDU (Derek Atkins)
Subject: Re: Senator Leahy's Public Key
In-Reply-To: <9605081459.AA20668@bart-savagewood.MIT.EDU>
Message-ID: <199605091408.OAA17613@rebound.slc.unisys.com>
MIME-Version: 1.0
Content-Type: text


-----BEGIN PGP SIGNED MESSAGE-----

> > Actually, I've been thinking about this, and how do we *really* know that
> > *anyone's* keys are actually theirs?  I'm new to this list and have been 
> > collecting some of the keys from people who post with PGP signatures, but 
> > even at that, I never certify them myself because I am not 100% absolutely
> > certain that the key in question belongs to that person.  After all, what
> > if some clever hacker dropped in and replaced someone's .plan file, or 
> > edited their index.html file?  There's no real way to be absolutely 
> > certain.
> 
> This is exactly what the web of trust is about.  The fact is that you
> can't trust the Keyservers (they were never designed to be trusted);
> you can't trust .plan files; you can't trust index.html files.
> However you can trust signatures made by trusted keys.  That is why
> the web of trust works.
> 
> For example, I've met in person with a lot of people and we've signed
> each others' keys.  We've used various methods to "prove" identity.
> Sometimes it's been a long time of personal interactions (close
> friends).  Sometimes it's been a number of certifying documents, IDs,
> etc.  Sometimes it's been a piece of knowledge that I know the other
> has but no one else has.

The problem is entering this "Web of trust".  You have to know someone who
is already in The Web in order to start signing your keys.  I don't know
anyone around here who uses PGP but me.  That's why I've been getting
keys off of this list.  Gotta start somewhere, however, I feel that this 
is a very shaky way to start.

> The point is that once I'm attached to the web of trust I have a means
> to verify other keys.  I can set up a CA that way (MIT has one) --
> there is a keysigner that will use out-of-band means to verify the
> identity of a user and then use that to sign a PGP key in that
> person's name.

I agree that once the WOT is set up, everything should work hunky dory, but
introducing yourself into this web isn't an easy thing.  Since we know that
the keyservers aren't bulletproof, how many keys do I grab from there in 
order to start my keyring?  One?  Ten?  500?  Statistically speaking, how 
many of those have been compromised and can no longer be trusted?

> You just need to look at it from a different angle.

That's what I'm trying to do.  Maybe I'm just looking at it all backwards 
or something, but it's something I've been thinking about since I've been 
collecting keys lately.

> -derek

- -- 
Matt Smith - msmith@unislc.slc.unisys.com
"Nothing travels faster than light, with the possible exception of bad news, 
which follows its own rules." - Douglas Adams, "Mostly Harmless"
Disclaimer:  I came up with these ideas, so they're MINE!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMZH8YcWUKiYjg/fZAQFk+QQA047pGZizSijPPBksY8nmZTQLdwaOene4
uO5p/ykHfPull03gzvYJ8ueDLlmttqSaf6y2e63RDgLNh5m8K0q88vOzkd0qQ+qf
LxC2ZVmGk3eIsRG9KLFdRMrPsJ0hmo/AfZ8DwF6SUz8+KXbxIHcN0LjTx4XBKIqz
wkpcnF0nLAM=
=Gd3m
-----END PGP SIGNATURE-----





Thread