To try to reflect some of David's points with a real-world situation.  I
was at work, with a brand new installation of PGP.  I wanted to send some
confidential data home so I could work with it.  However I didn't have my
home key at work, so I didn't have a secure way to send either the data, or
the work key.  I didn't even have the fingerprint of the home key.

My solution was to pull Carl Ellison's business card out of my pocket.  It
had his key fingerprint on it, and I remember getting it directly from him,
so I could trust the fingerprint.  Now Carl had signed my key, so when I
downloaded it from the key server, I could verify that it was indeed mine
(to the extent I trusted Carl).  Carl's signature, and the key server
allowed me to bootstrap trust into my own key.

At 3:53 PM -0700 6/10/03, David Honig wrote:
>At 04:54 PM 6/10/03 +0100, [EMAIL PROTECTED] wrote:
>I don't know you.  Why should I trust your signing of someone else's key?
>>If I know a mutual aquaintence, no need for "web of trust".
>>If we allow this, then the entire web-of-trust disintegrates.
>There *is no web of trust* unless you know the signers.  In which
>case you may as well have them forward keys manually.

But with a key server, I didn't have to bother Carl to send me my key.  Or
depend on him being online when I needed it.

Cheers - Bill

Bill Frantz           | Due process for all    | Periwinkle -- Consulting
(408)356-8506         | used to be the         | 16345 Englewood Ave.
[EMAIL PROTECTED] | American way.          | Los Gatos, CA 95032, USA

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to