[colug-432] PGP Signing Party

William Yang wyang at gcfn.net
Tue Dec 21 09:32:10 EST 2010

On Tue, 2010-12-21 at 08:15 -0500, Steve VanSlyck wrote:
> Well, can't they do that anyway? I mean that's been my difficultty with 
> certificates and PGP and so on all along.

Any trust relationship requires trust somewhere along the chain.  

If I know you, and I verify that your PGP fingerprint is X, and I sign
your PGP key... then anyone who knows me and has signed my key knows
that I am asserting trust in the assertion that fingerprint X is yours.

If my friend Rob signs my key, and Mike over there knows Rob and trusts
Rob, and so forth, we can do the 7-degrees of Kevin Bacon in PGP keys
game to come to a trustworthy source by establishing a chain of trusted
relationships between your key and a recipient's.  While you can
certainly validate a 1:1 relationship (as I have with many of my
professional associates, and which forms my immediate circle of trust in
PGP), the real value is this "web of trust" that allows people to ride
on a chain of trusted relationships of varying strength.

Maybe a reasonable topic for a meeting would be a discussion of
encryption principles -- openCA, x509 certs, PGP...  it's not
particularly hard to understand, though it's gets a little bogged down
in terminology sometimes.

The assertion that I am Steve VanSlyck is not true... and a chain of
trusted relationships -- especially in a circle as small as central Ohio
-- is likely to not be supported within the Columbus circle.  In
contrast, the assertion that I am William Yang of a given e-mail address
is extremely likely to be supported.

William Yang
wyang at gcfn.net

More information about the colug-432 mailing list