Re: about pgp-signed messages
On Tue, Nov 04, 2003 at 05:53:19PM -0500, David Yitzchak Cohen wrote:
> On Tue, Nov 04, 2003 at 11:06:41PM +0100, Aron Stansvik wrote:
> > Should this not be done unless we meet
> > personally or verify something over a secure phone line?
> If your question pertains to "should," then the answer is what you
> have above, plus the possibility that if you can find somebody else you
> trust to tell you this kind of stuff and who's willing to certify that
> I'm myself, then you don't have to directly verify that I'm myself.
> That's called the web of trust.
To Aaron:
I trust that if the person who posts to mutt-users as David Yitzchak
Cohen cares about avoiding impersonation, he won't give his privkey
and passphrase to anyone else. At this point, since I don't forsee
needing to exchange very sensitive information with Dave, it matters
very little to me whether the key belongs to a man named D.Y. Cohen,
or a small child, or an old woman, or whatever. Therefore, I feel
quite justified in locally certifying his key with my own, at a trust
level of 0: "I don't know." That suffices to kill the warning, and,
to me, doesn't imply any trust beyond what I'm willing to put forth.
Of course, your mileage may vary. (Just don't drive in 1st on the highway.)
Cheers,
Allister
--
Allister MacLeod <amacleod@xxxxxxxx>
Elen síla lúmenn'omentielvo.