| Bill Jonas on Thu, 18 Apr 2002 12:23:27 -0400 |
|
On Wed, Apr 17, 2002 at 08:09:57PM -0400, Michael Leone wrote: > Why? Isn't that a sign that you trust Darxus? And you do, don't you, > since you've signed his key? Signing someone's key is *not* the same as trusting them. What you're saying is that you believe (through verification of ID or other means when this is unavailable) to a reasonable extent that this person is who they say they are. (Or, alternately, that their name matches the name on the ID.) Trust is an individual thing that says how properly you think this person follows the rules for keysigning. For example, Alice can absolutely distrust Bob; she's seen him sign keys without checking for ID before, and once or twice she's refused to sign a key that he's signed. She can still sign his key, though, after she sees his ID that says "Bob" (or sufficiently verifies his identity through some other means). On the other hand, Carol might trust, oh, Darxus completely, based on the manner in which he signs keys. She might, however, refuse to sign his key when he can't produce ID that says "Darxus" on it. On the other hand, an alternate method of verifying identity would be for Carol to mail a passphrase (encrypted, of course, to protect from prying eyes) to Darxus, which he then tells her in person. If the passphrase matches, she knows that he is the one who has control over the passphrase to the private key that goes with the public key, and over the email address. So then (possibly depending on factors like, "Do I know him well enough?", etc) she may then choose to go ahead and sign his key. Note also that trust levels you assign when you edit a key are local only. They don't get sent along with the key when you send it to a keyserver or export it. In PGP, I understand that the trust info is stored in the keyring file/files it/them self/selves. With GnuPG, trust information is stored in a separate file (~/.gnupg/trustdb.gpg by default). So you can send someone a copy of pubring.gpg without worrying about exposing your trust information. </ramble> -- Bill Jonas * bill@billjonas.com * http://www.billjonas.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin Attachment:
pgpO4qgpDBA8t.pgp
|
|