<p><br>
On Dec 21, 2010 2:28 PM, "Steven Lefevre" <<a href="mailto:lefevre.10@osu.edu">lefevre.10@osu.edu</a>> wrote:<br>
><br>
> On Tue, Dec 21, 2010 at 9:32 AM, William Yang <<a href="mailto:wyang@gcfn.net">wyang@gcfn.net</a>> wrote:<br>
><br>
> > If my friend Rob signs my key, and Mike over there knows Rob and trusts<br>
> > Rob, and so forth, we can do the 7-degrees of Kevin Bacon in PGP keys<br>
> > game to come to a trustworthy source by establishing a chain of trusted<br>
> > relationships between your key and a recipient's. While you can<br>
> > certainly validate a 1:1 relationship (as I have with many of my<br>
> > professional associates, and which forms my immediate circle of trust in<br>
> > PGP), the real value is this "web of trust" that allows people to ride<br>
> > on a chain of trusted relationships of varying strength.<br>
><br>
> So how does this actually play out on my computer? Say I get an email<br>
> or another bit of data that is signed by William Yang, and my<br>
> application that's opening the data is PGP-capable. Does it go and<br>
> look up the web of trust, and report back to me some kind report on<br>
> how trustworthy the data is? How do I actually come to find out that<br>
> the signature is trustworthy or not?</p>
<p>So basically, you email client has some key servers registered with it in a very similar manner as your browser has ssl certificate authorities. There used to be one at harvard or yale that was free and everyone used, but it has been a couple years since I used it.</p>
<p>Basically, you register the public key is registered with the certificate/key server. The problem is, anybody can register any email address with any public key because the key servers don't want to deal with authentication (Part of the reason you pay for an ssl cert).</p>
<p>So when the receiver of the email or bits go look up the public key, (or you could send it to them in an email). Their email client will warn if the key is not signed by (I forget and I am sure it is configurable) X number of trusted other keys.</p>
<p>So basically, the mail client will show the key in orange or red if the key isn't signed by other trusted keys. Then you can use the key to send them trusted emal. This is on a signed email or when encrypting to send to them.</p>
<p>We used to use Eudora back 6 or 7 years and it could do this.</p>
<p>Scott M</p>
<p>><br>
> _______________________________________________<br>
> colug-432 mailing list<br>
> <a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
> <a href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
</p>