Keyservers and Spam
Bill Frantz
frantz at pwpconsult.com
Wed Jun 11 20:47:02 EDT 2003
To try to reflect some of David's points with a real-world situation. I
was at work, with a brand new installation of PGP. I wanted to send some
confidential data home so I could work with it. However I didn't have my
home key at work, so I didn't have a secure way to send either the data, or
the work key. I didn't even have the fingerprint of the home key.
My solution was to pull Carl Ellison's business card out of my pocket. It
had his key fingerprint on it, and I remember getting it directly from him,
so I could trust the fingerprint. Now Carl had signed my key, so when I
downloaded it from the key server, I could verify that it was indeed mine
(to the extent I trusted Carl). Carl's signature, and the key server
allowed me to bootstrap trust into my own key.
At 3:53 PM -0700 6/10/03, David Honig wrote:
>At 04:54 PM 6/10/03 +0100, Jill.Ramonsky at Aculab.com wrote:
>I don't know you. Why should I trust your signing of someone else's key?
>
>>If I know a mutual aquaintence, no need for "web of trust".
>>...
>>If we allow this, then the entire web-of-trust disintegrates.
>
>There *is no web of trust* unless you know the signers. In which
>case you may as well have them forward keys manually.
But with a key server, I didn't have to bother Carl to send me my key. Or
depend on him being online when I needed it.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Due process for all | Periwinkle -- Consulting
(408)356-8506 | used to be the | 16345 Englewood Ave.
frantz at pwpconsult.com | American way. | Los Gatos, CA 95032, USA
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list