>Yes, indeed. It is better, however, to establish that authenticity
>directly between 2 people who can then each move outwards expanding the
> domain of trust. Cut out the middle man.
>
>My memory fails me, but, Paul Galloway: remind me how we did it? I
>think John Williams was also involved in that authentication?
>
Yes we did begin to exchange and sign a few PGP keys. In brief , you have to
decide what level of trust to place in someone to introduce keys to you.
---snip---
Would you trust "Ahmad Risk <[log in to unmask]>"
to act as an introducer and certify other people's public keys to you?
(1=I don't know. 2=No. 3=Usually. 4=Yes, always.) ?
---/snip---
This then builds a domain of trust. As an example: I wanted to send a PGP
encrypted message to Grant Kelly but did not have his public key. If I
simply assumed that the public key (say on the bottom of an email) actually
was his then you leave yourself open to spoofing.
However, I did have complete trust in John Williams key actually belonging
to him, and John had Grants key his keyring and trusted that, so I could
mail direct to Grant in confidence even though we had never met, and he had
never given me his key.
Before signing someone elses key and placing complete trust in it it is
essential to ensure it actually is theirs. We phoned each other and read
back the key fingerprints to each other. We had previously met so I
recognised his voice. I know John *never* signs anyone elses keys unless he
is sure so I can trust him as an introducer. Incidentally, if you thought
someone was a reliable individual, but thought they cut corners on key
authentication you would assign them a 2 or 3.
Sounds a bit of a pain, but at the end of the day you get something you can
really rely on. Of course there is a multiplier effect. If I have 4 people I
have completely trusted, and each of them has signed 4, I have access to 16
completely reliable keys.
Paul Galloway
MedWeb UK Ltd. http://www.medweb.co.uk/
Developing Technologies and People Conference, Wolverhampton, 5th June 1998
http://www.medweb.co.uk/dtp
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQCNAzMxt2sAAAEEALecPIiMTQAeWhtriJdIuvGwZ5CBGQLpfAbv4OtEEwrP1szY
+0s4assJQuILHaPeX4W980NJheLxjcuS3jay7wbvaQlkjDcC0m4pId1mTQFCimfX
d8TAhmMV36d4uTYwv2uhsRfVRYLk2d7sBcJxSIbp8E5agVgEZXEGyjHdNmqhAAUR
tCFQYXVsIEdhbGxvd2F5IDxwYXVsQG1lZHdlYi5jby51az6JAJUDBRA0lcP7cQbK
Md02aqEBAaAPA/95XK/QxfrZQz88q52WnE31P8vWUbd0GnQiqzvbPida5kP9XcZj
e+5IIbPcUlfEvclylXSbn1eA68dgom1oi7SmeC7X/qexkjCLUtCDUof3Iv0KoiOU
Ycw0os9CYacMsiIEAPqB43gkAbv31hhKD5aS9N819cL/43xvpTfS7K+E8rQnUGF1
bCBHYWxsb3dheSA8cGF1bEBtZWR3ZWIuZGVtb24uY28udWs+iQCVAwUQM0b3qy3D
SPoGMe9NAQF8dQQAhZsBQk9GoWwwV0YQMgzGcnHRQ5TE8vkvh8cWZ0HJ+XgidA4G
WlcfkNzuWWb9ICsa3xH3xgohiMLmWVsBDrvv+NoQsgk637P4HyFC8q9hEZKT/AlG
bMWSLF6UlXV+nn9faRX4bVZ7F1bsfVUAeI4hSXhb0zzPq2CK/Ys4A9Ki8HSJAJUD
BRAzRBhGAiGywps3U4EBAVieBACAXeIffl9UVgEzTswG4ey0Giez8FC2l7VY1o4e
Ceo0IFo7+NYT4dfyLK3JS2UFrMHbQJff8s24dfFkYd2LInQCFXwMR9WQQ3okpv79
dPbyT02dn0Rjryc0Y3EN1DBHuR49UlrwfU3QH7YVplohuSPX5SRHDQJ127raO9ex
DgUB/IkAlQMFEDM5d9uFS8YBMUlKiQEB7kED/3ytAavB8rNAufntEqG9hvVlnjuq
0idD/mwcTcj+tA6E5QatgnSM7qeLnMQPwXzlwKKbfGiBUrX+Lu6YNeNwjvID3FsS
xHeidTdU/nG1q/aQiGG9R/uY8Mr+7WfeAzYUB23/mXreniGiNJwf4hSuYO8HHnFx
nFYeFK31IXaVFYY8iQCVAwUQMzG3bHEGyjHdNmqhAQEd0wP9FGwxtwH96UYnK4I0
R4AC9GrHefqnFXUz3KGc6wV46aS+eb9LNB+47PS28u5QVsKma6x9pCmTWFp4mToP
n4gwbwW9XAlO4Mq5/n3gPc4bfROCQSlJu0Q+NGpJlexUzZ7Z9RgjcTQBIXbYbOp7
kTtc5k5F8EFZeyU9hLpKgi/Fr5Y=
=eSRJ
-----END PGP PUBLIC KEY BLOCK-----
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|