[colug-432] PGP Signing Party
scott.mccarty at gmail.com
Tue Dec 21 15:01:46 EST 2010
On Dec 21, 2010 2:28 PM, "Steven Lefevre" <lefevre.10 at osu.edu> wrote:
> On Tue, Dec 21, 2010 at 9:32 AM, William Yang <wyang at gcfn.net> wrote:
> > If my friend Rob signs my key, and Mike over there knows Rob and trusts
> > Rob, and so forth, we can do the 7-degrees of Kevin Bacon in PGP keys
> > game to come to a trustworthy source by establishing a chain of trusted
> > relationships between your key and a recipient's. While you can
> > certainly validate a 1:1 relationship (as I have with many of my
> > professional associates, and which forms my immediate circle of trust in
> > PGP), the real value is this "web of trust" that allows people to ride
> > on a chain of trusted relationships of varying strength.
> So how does this actually play out on my computer? Say I get an email
> or another bit of data that is signed by William Yang, and my
> application that's opening the data is PGP-capable. Does it go and
> look up the web of trust, and report back to me some kind report on
> how trustworthy the data is? How do I actually come to find out that
> the signature is trustworthy or not?
So basically, you email client has some key servers registered with it in a
very similar manner as your browser has ssl certificate authorities. There
used to be one at harvard or yale that was free and everyone used, but it
has been a couple years since I used it.
Basically, you register the public key is registered with the
certificate/key server. The problem is, anybody can register any email
address with any public key because the key servers don't want to deal with
authentication (Part of the reason you pay for an ssl cert).
So when the receiver of the email or bits go look up the public key, (or you
could send it to them in an email). Their email client will warn if the key
is not signed by (I forget and I am sure it is configurable) X number of
trusted other keys.
So basically, the mail client will show the key in orange or red if the key
isn't signed by other trusted keys. Then you can use the key to send them
trusted emal. This is on a signed email or when encrypting to send to them.
We used to use Eudora back 6 or 7 years and it could do this.
> colug-432 mailing list
> colug-432 at colug.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the colug-432