Please consider trimming your quotes. The amount that's going on here strikes me as pretty excessive. I'm not standing on a chair and screaming that you're doing it wrong, of course: this is just a friendly request to please trim your quotes. :)
> The whole idea behind the web of trust is that you have met "real" > people. Not particularly. The idea behind the Web of Trust is that entities can introduce other entities. Everything above and beyond that is just the projection someone places upon it. > It is a principle of the whole system that you only sign people's > keys. The person comes first - not the key. Not necessarily. For instance, Symantec has a certificate they use to sign PGP releases. That certificate does not belong to a person but to a corporation. *Entities* come first, but an entity is not necessarily a person. Usually it is -- but it's not required to be. > It's not the validity of keys but the validity of people. No, it's definitely the validity of certificates that we're checking. We can agree on how to check the validity of a certificate -- ensure the fingerprint matches the one provided to you by the entity controlling the certificate. We can't agree on how to check the validity of a person, or even what it even means to do this. So instead we handwave it by saying, "prove to your own satisfaction you're talking to the real entity -- whether this means you've known the person for twenty years, you've seen two forms of government ID, or Elvis came to you in a séance and vouched for the person and told you he was a swell guy. That last option is every bit as 'valid' as the other two. How you confirm an entity's identity is your choice, and nobody gets to decide that policy except you. > Most people are bound up with beliefs and behaviours. They interact > with others on a daily basis sharing common values beliefs and > behaviours. Under normal conditions we don't ask every one we meet > for their passport driving license or DNA sequence. We accept it as > the norm that people are real and valid - its the IDs they use which > may or maybe questionable. I don't understand what you're talking about here. In fact, it seems quite self-contradictory. If someone presents themselves as being Horace Micklethorpe, shows me ID in that name, and then I later discover this person's real name is Harry Palmer, I'm going to understandably accuse this person of having been inauthentic with me. > So people on this mailing list "know" that Werner Koch is "real." Few of us do. I harbor some suspicion that Werner's real name is Horace Micklethorpe. He might also be Harry Palmer or Bob Howard. I don't know. I also don't particularly *care*, either: what I care about is what he does, not who he is. > A public key is a static document Certificates change over time as UIDs, UATs, signatures and subkeys are added and revoked. Certificates are highly dynamic documents: many of them gain a signature a week.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
