[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
On Thursday 06 Nov 2003 7:03 pm, Brad Rogers wrote: > On Wed, 5 Nov 2003 22:25:21 +0000 > Neil Williams <linux@xxxxxxxxxxxxxx> wrote: > > > I always worry about auto key retrieval; Certainly, for most > > > things, it's fine, but when dealing with truly sensitive data, proof > > > > That is true, however, by retrieving the key from a keyserver you > > aren't validating the key, only the signature made by the key. To > > Phew! A long reply. Not what I was expecting, at all. :-) > > I was expecting something along the lines of "Don't be so up-tight". > Well, alright, I was expecting "Don't be an ass". :-) > > I already understood a great deal of what you wrote, and obviously, Yeah, I get told I'm long winded but hey, this ends up on a public archive and sometimes it's best to cover more of the audience than the composer of the previous thread. Maybe. > without proving someone's identity, I'd never sign their key, anyway. > I've rarely used PGP "in anger", and when I have, we had to jump through > hoops to get keys validated, since the likelihood of meeting up was > non-existent, due to the fact I live in the UK, and some of the other > people lived as far apart as New Zealand, South Africa, and Sweden. There are ways around that, -ish. There are intermediaries, after all, my key has been signed by Kai who spends time in Finland. It's not that far fetched to consider someone else in Finland who has signed Kai's key and also signed a well-known key in Sweden. That in turn could link to the key you want to trust. Both my key and Kai's key are signed by Debian developers who do meet across geographical boundaries, a little knock-on effect and I reckon NZ and SA are not beyond the scope of the web of trust. I've got some long-distance keys in my keyring (from correspondence on gnupg-users) which show as fully trusted and one owner lives in Australia (if you can believe the TLD). Getting your key signed by as many local people as you can will not harm the possibility of such a connection - you're almost bound to meet someone whose work or lifestyle allows keysigning across international borders. From there it's just a case of how much you trust the validation of others - the more connections you can make, the stronger that trust becomes. Default GnuPG only requires 3 marginally trusted signatures on a key for it to be fully trusted. That indicates a three-level connection: You sign A - you edit the trust to indicate full A signs B - B shows as marginally trusted. Repeat for C and D. B,C and D all sign key for E - E is fully trusted. I find this site invaluable in this type of connection: http://www.lysator.liu.se/~jc/wotsap/ Enter my keyid in the second box (0x28BCB3E3) to simulate your own key (I can sign yours just as soon as we're at the same meeting + fingerprints are exchanged etc.) and the keyid of the person you want to trust in the top box. Both keys must already be signed by keys within the 'strong set' - keys that interconnect and are signed by previously recognised keys like those in the Debian developers keyring. Here's an example: http://webware.lysator.liu.se/jc/wotsap/?top=0x65D7A531&bottom=0x28BCB3E3&size=&arrowlen=&arrowang=&colors= If the linewrap messes the URL, use 0x65D7A531 in the top box and my keyid in the bottom box. In that example, Erich Schubert (0x4B3A135C)is almost certain to show up as fully trusted - each of the three keys in the bottom level are fully trusted (I've personally verified + signed each one), each links to at least three others in the next level which would be deemed marginal trust in most cases, more than 3 of these have signed Erich Schubert's key. So despite me never meeting Erich, I can trust his key. A similar process can lead to others in that level being fully trusted and so on. The end result is that 0x65D7A531 also shows as fully trusted in my keyring. (Just imported it from the keyserver to check.) I'm sure a similar arrangement can work for your contacts. There have been odd occassions that I've imported a key via auto-key-retrieve that has become instantly fully trusted because of the web of trust. It does work. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
Attachment:
pgp00040.pgp
Description: signature