[kwlug-disc] Generating and using PGP keys
unsolicited
unsolicited at swiz.ca
Fri Feb 20 00:59:05 EST 2009
Consider http://en.wikipedia.org/wiki/Web_of_trust.
I certainly don't have my head around this stuff. Ward has a handle on
it. Perhaps he'll offer his US$0.02?
Chris Frey wrote, On 02/19/2009 10:19 PM:
> On Thu, Feb 19, 2009 at 10:07:14PM -0500, R. Brent Clements wrote:
>> If I create one key and present its fingerprint to a group of people
>> (herein referred to as you guys) to be signed, that would be my "ID"
>> key. Then I can create new keys for specific purposes and sign them
>> myself so that, er, by proxy? the trust that you guys have given my
>> master key is extended to the new keys? And the security of that key
>> is limited by the trustworthiness of whatever diligence and
>> trustworthiness can be ascribed to you guys?
>
> Yep.
>
> The reason that signing new keys yourself works, is that others can then
> follow the trail of signatures. If someone trusts my key, they can
> check my signature on your key, and then your sig on your own key, and
> be relatively certain it's you. At least more certain than downloading
> some random key off the net and hoping. :-)
>
> The bigger the web of signatures, the easier it is for someone to find a
> verification trail to you.
More information about the kwlug-disc
mailing list