Not to side track the discussion, but frequently I've heard PKI compared to PGP's model. Isn't PGP's trust model the same as everyone being their own CA?
I find PGP to be problematic. Many keys I see are only self-signed, and this includes important keys like CERT. Many others sit unsigned on the same website you access to download the source code protected by it. And 90% of the time when they have more than one signature you don't have a key that signed the other party's key, so you get to do a breadth-first search manual-like (pathserver being dead and all). Even with kgpg pulling the keys from a keyserver for you, it's still non-trivial. I successfully inspired a local keysigning, but it seems like most of the people didn't see any immediate benefit, and so declined to participate. "What does this mean for me" was a common question. I tried to explain the purpose, but I suspect it is too recondite or too far removed from their experience. Perhaps I'd have better luck by stating what kind of attacks it would prevent (email spoofing being relatively rare, save for some obvious spam tactics). I'm open to any suggestions along these lines. -- http://www.lightconsulting.com/~travis/ -><- P=NP if (P=0 or N=1) "My love for mathematics is unto 1/x as x approaches 0." GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
