About PGP Signing a File.

Duncan Lithgow dlithgow at gmail.com
Tue Feb 13 05:32:56 UTC 2007 

On Tue, 2007-02-13 at 00:27 +0100, Ouattara Oumar Aziz wrote:
> The way I understand it is just like Certificates use with SSL. The 
> trust you put on a key depends on the security organization you are in. 
> So I may have a key signed by the security team of my company, that key 
> is trustworthy for anyone in that company but outside that company, it's 
> not valuable at all.
> That's why, when I see some people on some mailing list signing there 
> mail using PGP I just wonder what they want to prove. We have no way to 
> check the authority behind that key.
I think you're misunderstanding the way the "web of trust" works. It's
only got value of you find yourself in the other persons web of trust.
It's all to do with how many degrees of separation there are between you
and the person whose key you're looking at. If someone who you trust has
been thorough in checking the identity of the new key then you can trust
the new key. And that's the judgement you have to make: "Do I trust that
the person I know has checked this persons identity?" And if it's one
further step away the questions becomes: "Do I trust that the person I
know has only signed keys of people who he knows are thorough in
checking the identity of new keys they sign?" And so on.

My key is for example signed by one of the main Danish developers of BSD
- chances are quite high that you know someone who knows him. I can't
remember the math but it turns out that it's usually surprisingly few
degrees of separation between people. The weakness of my key though -
for example - is that it's only signed by people who live in Denmark -
so sometimes the connection may be a bit more distant.

I hope that was a useful explanation. It's quite different from the idea
of a highly trusted signing authority.

Duncan

-- 
Linux user: 372812 | GPG key ID: 21A8C63A | http://lithgow-schmidt.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070213/f8072474/attachment.sig>

More information about the ubuntu-users mailing list