On Sun, 2003-11-30 at 09:02, Mary Gardiner wrote: > which is why you shouldn't be trusting of many of the keys in your key > ring.
Of course, this is the whole reason for key signing events. If you show me a copy of your key [fingerprint], and a copy of some photo identification, and assert that they key and ID are yours, then I have a reasonable grounds to go back to my keyring and say "yes, I trust that this key really is the digital public key of that person". Doesn't mean you trust the person's *character*, just that you have been reasonably convinced that the key matching that fingerprint really does belong to that person, and so can trust that a digital signature made with that key came from that person. -- The process can stop there, but there is one more step. It can get a touch complicated from here, but this is how a "web of trust" grows: If we want, we can sign the other person's key indicating that we trust it, and then send a copy to the other person. Each person can, if they care to, submit these signatures to the public key servers; future downloads of that public key will result in a key which carries along with it these signatures from other people. So, ultimately, even if I don't know *you*, but your key is signed by someone I *do* trust, then I have a reasonable assurance that you are who you say you are. -- I've always wondered at what point this algorithm would break down under it's own weight - assuming mass adoption of the OpenPGP key system world wide, when would either keyring file size, complexity in the trustdb, or length of time needed to validate signatures, cause the whole thing to grind to a halt? AfC -- Andrew Frederick Cowie Operational Dynamics Consulting Pty Ltd Australia: +61 2 9977 6866 http://www.operationaldynamics.com/ -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
