On Sun, 21 Dec 2003 20:41, Richard D Piper wrote: > At least I seem to have GPG working with Mozilla ... although I have not > sorted out that "web of trust" thing ... :-)
I trust you are using Enigmail (http://enigmail.mozdev.org/) with Mozilla mail, else you are making life unnecessarily difficult for yourself. Web of trust is really easy. Let's say you know your wife well. You and she create each a key pair. Each of you mutually "sign" these keys with your respective private keys. Now your wife has been working for 20 years together with person X. She has been at X's home many times, and knows that person very, very well. X has a public key too. Since your wife is confident that she knows X is X for practical purposes, she signs X's key. All of you submit your signed keys to public key servers. You never met X before. Now, all of a sudden, you need to communicate with X. You check a public key server, and yes, there is a key claiming to belong to X. But how would you know it really does? Your system checks whether this key can be trusted. It notices that your wife has expressed her trust in it by signing it. You have signied your wife's key. If follows that if you trust your wife's key, and your wife trusts X's key, you can trustX's key. In real life, thinngs are rarely as clear cut. If a web of trust would depend on trusting a single person, it wouldn't work. However, if ten or twenty people you know have indirectly or directly signed another key, it becomes more likely you can trust that one. It is also a much better real world model than a central; certification authority, because it makes you more aware that trust in somebody's key can never be absolute, only relative - and how much evidence you accept as "good enough" will depend on the circumstances. Centralized certification authorities (such as HeSA) only *appear* to make the lot more secure, but in reality they are even less so for obvious reasons, and they do not allow this extended grey zone of judgement a web of trust does. I would suggest to read http://www.debian.org/events/keysigning and http://www.dtype.org/keyanalyze/ and http://www.chaosreigns.com/code/sig2dot/debian.html http://people.debian.org/~weasel/weboftrust/ Horst -- "On two occasions I have been asked [by members of Parliament!], 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- Charles Babbage
