On Mon, 2009-03-30 at 22:17 +1030, Tim wrote: > On Mon, 2009-03-30 at 11:23 +0100, Anne Wilson wrote: > > If you examine my key you will see that it is signed by a number of > > people who have properly verified that I am who I say I am. This is > > essential for the web of trust to work, but frankly it is not > > understood by many people, and I've seen conversations where people > > will sign anyone's key. The whole web of trust falls apart when this > > happens. > > Looking at your key, using the seahorse program, I can see nothing that > gives me any indication that the signers have checked anything, only a > list of names of who the signers are. Not very helpful... You'd have > to use something else to see certification levels, e.g. command line > tools. Of course the indicator will only be that person X *says* > they've checked you out. There's nothing to enforce them being > truthful. > > As you say, some will sign anything willy nilly. The web of trust is > really only useful with people that you actually know. You can't make > any assumptions just because a key is counter-signed. A third party's > referral is useless. The only third party that you could trust would be > some service that you know refuses to sign keys without adequate > verification, assuming that there is one, and that you know of their > reputation. What is wrong with Verisign? -- ======================================================================= Freedom begins when you tell Mrs. Grundy to go fly a kite. ======================================================================= Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam@xxxxxxxxxxxxx -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
