Yeah, I don't think the drivers license analogy does it justice. It's more like a credit card. Any ATM that trusts the STAR network, will trust a key bank debit card. The circle of trust builds out from the people on the inside. I heard Linus Torvolds give a speech on this some years back.<div>
<br></div><div>Trust has to be rooted. That, is the point of the signing party, to root it in the group of people that you know are real and trust.</div><div><br></div><div>Also, if you private keys are stolen, even if they are encrypted with password that is only known by you, it is advisable to revoke the keys. Usually the second factor only buys you time once the keys have been compromised. In fact, <a href="http://www.keylength.com">http://www.keylength.com</a> has recommendation from NIST (and others) on how long to trust a private public key pair for based on how many bits of encryption.</div>
<div><br></div><div><br></div><div>Scott M<br><br><div class="gmail_quote">On Tue, Dec 21, 2010 at 9:32 AM, William Yang <span dir="ltr"><<a href="mailto:wyang@gcfn.net">wyang@gcfn.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Tue, 2010-12-21 at 08:15 -0500, Steve VanSlyck wrote:<br>
> Well, can't they do that anyway? I mean that's been my difficultty with<br>
> certificates and PGP and so on all along.<br>
<br>
<br>
</div>Any trust relationship requires trust somewhere along the chain.<br>
<br>
If I know you, and I verify that your PGP fingerprint is X, and I sign<br>
your PGP key... then anyone who knows me and has signed my key knows<br>
that I am asserting trust in the assertion that fingerprint X is yours.<br>
<br>
If my friend Rob signs my key, and Mike over there knows Rob and trusts<br>
Rob, and so forth, we can do the 7-degrees of Kevin Bacon in PGP keys<br>
game to come to a trustworthy source by establishing a chain of trusted<br>
relationships between your key and a recipient's. While you can<br>
certainly validate a 1:1 relationship (as I have with many of my<br>
professional associates, and which forms my immediate circle of trust in<br>
PGP), the real value is this "web of trust" that allows people to ride<br>
on a chain of trusted relationships of varying strength.<br>
<br>
Maybe a reasonable topic for a meeting would be a discussion of<br>
encryption principles -- openCA, x509 certs, PGP... it's not<br>
particularly hard to understand, though it's gets a little bogged down<br>
in terminology sometimes.<br>
<br>
The assertion that I am Steve VanSlyck is not true... and a chain of<br>
trusted relationships -- especially in a circle as small as central Ohio<br>
-- is likely to not be supported within the Columbus circle. In<br>
contrast, the assertion that I am William Yang of a given e-mail address<br>
is extremely likely to be supported.<br>
<div><div></div><div class="h5"><br>
-Bill<br>
--<br>
William Yang<br>
<a href="mailto:wyang@gcfn.net">wyang@gcfn.net</a><br>
<br>
_______________________________________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
</div></div></blockquote></div><br></div>