[13592] in cryptography@c2.net mail archive
RE: Keyservers and Spam
daemon@ATHENA.MIT.EDU (Bill Frantz)
Wed Jun 11 23:04:26 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <3.0.5.32.20030610155326.008d6790@pop.west.cox.net>
Date: Wed, 11 Jun 2003 17:47:02 -0700
To: David Honig <dahonig@cox.net>, Jill.Ramonsky@Aculab.com,
cryptography@metzdowd.com
From: Bill Frantz <frantz@pwpconsult.com>
To try to reflect some of David's points with a real-world situation. I
was at work, with a brand new installation of PGP. I wanted to send some
confidential data home so I could work with it. However I didn't have my
home key at work, so I didn't have a secure way to send either the data, or
the work key. I didn't even have the fingerprint of the home key.
My solution was to pull Carl Ellison's business card out of my pocket. It
had his key fingerprint on it, and I remember getting it directly from him,
so I could trust the fingerprint. Now Carl had signed my key, so when I
downloaded it from the key server, I could verify that it was indeed mine
(to the extent I trusted Carl). Carl's signature, and the key server
allowed me to bootstrap trust into my own key.
At 3:53 PM -0700 6/10/03, David Honig wrote:
>At 04:54 PM 6/10/03 +0100, Jill.Ramonsky@Aculab.com wrote:
>I don't know you. Why should I trust your signing of someone else's key?
>
>>If I know a mutual aquaintence, no need for "web of trust".
>>...
>>If we allow this, then the entire web-of-trust disintegrates.
>
>There *is no web of trust* unless you know the signers. In which
>case you may as well have them forward keys manually.
But with a key server, I didn't have to bother Carl to send me my key. Or
depend on him being online when I needed it.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Due process for all | Periwinkle -- Consulting
(408)356-8506 | used to be the | 16345 Englewood Ave.
frantz@pwpconsult.com | American way. | Los Gatos, CA 95032, USA
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
