To try to reflect some of David's points with a real-world situation. I was at work, with a brand new installation of PGP. I wanted to send some confidential data home so I could work with it. However I didn't have my home key at work, so I didn't have a secure way to send either the data, or the work key. I didn't even have the fingerprint of the home key.
My solution was to pull Carl Ellison's business card out of my pocket. It had his key fingerprint on it, and I remember getting it directly from him, so I could trust the fingerprint. Now Carl had signed my key, so when I downloaded it from the key server, I could verify that it was indeed mine (to the extent I trusted Carl). Carl's signature, and the key server allowed me to bootstrap trust into my own key. At 3:53 PM -0700 6/10/03, David Honig wrote: >At 04:54 PM 6/10/03 +0100, [EMAIL PROTECTED] wrote: >I don't know you. Why should I trust your signing of someone else's key? > >>If I know a mutual aquaintence, no need for "web of trust". >>... >>If we allow this, then the entire web-of-trust disintegrates. > >There *is no web of trust* unless you know the signers. In which >case you may as well have them forward keys manually. But with a key server, I didn't have to bother Carl to send me my key. Or depend on him being online when I needed it. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | Due process for all | Periwinkle -- Consulting (408)356-8506 | used to be the | 16345 Englewood Ave. [EMAIL PROTECTED] | American way. | Los Gatos, CA 95032, USA --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]