Web of trust

David Picón Álvarez eleuteri@myrealbox.com
Wed Jun 5 16:21:02 2002


--fze_y1fZ.5XiMkIG0nnxfhpcRy8C.PaU
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Hi,

> BTW, I cannot find your key.  Is it up on a keyserver anywhere?

As far as I know, it's up in wwwkeys.eu.pgp.net and in pgp.mit.edu
You can search for eleuteri@myrealbox.com

There are a couple of bogus IDs from my initial experimentation that contain
fucked up characters and so on, because my surname is not actually Picon
Alvarez but Picónn Álvarez, so that caused me a bit of trouble.

> Fair enough.  It helps to go to key signing parties and to make phone
> calls for verification (though that only tells you that the speaker is
> the person whose key you have), but it certainly can be difficult to get
> "tied in".

I haven't heard of any keysigning party in the are where I am. I study in
Leeds/UK, and I'll be on holidays back home in my dear Spain :-) but I
haven't found those kind of events around.
About phone verification, it's certainly good enough as far as I'm
concenred.


> That sounds like a good start.  I suppose you find that preferable to the
> "are you sure you want to use this untrusted key?" questions; my choice,
> on the other hand, is to not sign, even locally.

I only locally sign such keys as Zimmerman's, ESR's or the like, which are
backed by lots of people and would be damned hard to keep faked. At any
rate, the question or a local signature don't seem to make a hell of a
difference as far as I can see.


> I would hope that, quite on the contrary, cryptography is growing more
> and more popular; here in the States, at the very least, there are more
> and more people getting ticked off at government privacy invasion who are
> picking up crypto simply out of defiance.

I don't think that's going on in Europe. I used to have a pgp key when RSA
was in use, I used to have keys all the way through, but I rarely used them
because of lack of people. What fired me off is a new EU directive that
allows states to commit intrusions in people's privacy. But a security tool
as GnuPG, fine as it is, is useless without enough support, because in
effect, you depend on the other end for being able to use it.

> The WoT should continue to increase, just as it has for years.  The
> problem is simply balancing the level of your need for verification with
> the cost of doing so.  That's a reason some folks like a central
> authority like VeriSign; it's easy to trust them, and then you can trust
> anyone who bought one of their certificates.  Others still favor the
> pgp/gpg "peer to peer" approach, you might call it.

I think there are many good things to say about the p2p approach as you call
it. It's much harder to fake and so on. And I'd have serious doubts about
trusting a for-profit business like VeriSign, for good reasons. There can be
always someone with more money willing to buy false certificates and the
like. And then, it's a central point of failure. But I just see that GPG/PGP
users as islands in a huge ocean of apathic users.


> Even if it's something that a computer can't do, how do you know that the
> actual intended user got it and not a middleman?  How do you know that
> the actual intended user really is the person so described?  The list
> goes on and on :-)

As I said, it wouldn't fit high-security requirements, but at least it would
allow for making sure that it's not an easy fake.


> Sounds topical enough to me...

Hope so.


--David.



--fze_y1fZ.5XiMkIG0nnxfhpcRy8C.PaU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Comment: This message is digitally signed and can be verified for authenticity.

iQQXAwUAPP6PaYVy4iYQ9LKqFAI9Tw/+Kw9WdEaVW58L3PATiO5VNZuGQvNbHGOW
lXWKuqLUJst3by0rRCD53snP7KpMpXalQ1BgsVusMwxFuzBO9XFK5+YtIPLEPdHc
3W2gtkqYLHwIBvmppkM0sL+vALvMqdpy5WSx3hYqZW+fRAAx/aDNm6bJgRxuVb8d
VF4yUfNvVwiabipMvgUwTNeatcNiM5Lss7L9ALEhakEVmr7BOBH0C4T8LXJ+ww6z
yIfieYDcdIFg3/ygZ1Dn54gmm+6ja2pO+X7AZELokzT69I0QEylKC+XRS0UbHZ8X
ntytYbFob1xOF4XG9kXKS4yVZb6mtN/jBdcwSq7u5lNzgRYNnbIeJcf909/67ULr
ujPkcv0L0aqeMGdLMuVec70gu6kr1h+7Q5qJz2RctQSuVfvBZXA9qU18gtQMHIeZ
VEFat2tiFeP+HjQXpePP1E94D+g0BtbKPSFfk5qIal06v0mAy2CKJQsLnOm5o6DO
eMKOwaM6RK87177W3fvBPsnsX2bapkgAdlO+8d4BA5vhc4qNVS9VdmF9+RhS5mvR
7B17mn2ECxJlxQoRl+VinlNbKxTPriarwBTBaGP2AsTws/8FD/h5JoOgnC76gv34
jLdpZbABtvynrT96N2T0C4VePxX7og3WIBVdNbDHtG+NubeDVqDKEcFyvLo6kZ9t
woRp9LZ6QnsP/iKwmuDJ+qVqFbsvqRMnjc7aw9NRUFnZDlsEJHLMIGuDne/eqh0G
21Zqm04qDzDekV5571btCJljnpAuXam1oyrx90NDcLzzLKbwrqUhosRkS53u1r5n
A0fVwwOJYYL894QFulaaupSompPWeNL1rJP4OQkaT7d6p5WWuyXURN19jUA3+Mdv
yqxeiaQDcPc7cpB5Dz6rClmP1o2c7NSz8GGzxztxzb5u11/KJaDvURsYNKaX8AS+
sHz+kQGK56Cd8zFMy9qN5HBARQPOg9SIi/93Y+nth2sjn16kUSTLwGTg+KGvLwMH
lILq2yc+OnmE3n5xM/0t0XrukX0nGzmR37laj5eiGsFF1diuTiHg4ixttZkkHUQU
2zS4dcCqnmfgIF32bRBFcMD5OIlsAs2v/pnJvthqxLgIPDkYrunQWHnurH1Y+92y
gVBTTG82eRHwKQ+Csh5StEtKS3auYq3HmPlEaB2+B8yMqjXJhl9scwcRzbj5LoB7
752tFPqC7mzWQOiSeFqZxMETbgDBQeyqsIk6gbok617LFzyfYgU+CurIpoT21RV7
08LzpBwqtaYYF74c68H16zNisXnvr/4OXUAhGJeNtHhq4vW8mRvzR3b1TLUe/AM7
I5gqvtXbmqpwgMJqwItiNseXbCiFtQ7Odpyg/DEnTXzms13mujGGH+As
=CzYB
-----END PGP SIGNATURE-----

--fze_y1fZ.5XiMkIG0nnxfhpcRy8C.PaU--