LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

On keys, trust, and webs

On keys, trust, and webs

Posted Oct 7, 2011 8:18 UTC (Fri) by neilbrown (subscriber, #359)
In reply to: On keys, trust, and webs by jake
Parent article: On keys, trust, and webs

Are you really saying that you don't trust it, or that your gpg tool tells you that you don't trust it?

Because I suspect that in reality you do trust it, at least a little bit. And if I had had the forethought to sign my previous correspondence with you, you would probably trust it a lot more, despite what gpg tells you.

I've been trying to think of non-digital analogies and the idea of "Public Notices" comes fairly close. There are cases were placing a public notice and not getting a response in some reasonable time period means that you can proceed on the assumption that no-one else has an interest in the issue (handling deceased estate is one example I think).

So my original post is like a public notice. If it was faked, you can be pretty sure that the real neilbrown would have found a way to complain. He hasn't yet. Give it time, but if you don't hear anything in a couple of weeks, you can probably increase your trust level substantially.

[alright, I admit it - I just don't like parties and want to find a way to get my access to kernel.org back without having to go to a key-signing party :-) ]

(Log in to post comments)

On keys, trust, and webs

Posted Oct 7, 2011 13:38 UTC (Fri) by jake (editor, #205) [Link]

> Are you really saying that you don't trust it, or that your gpg tool
> tells you that you don't trust it?

well, it was meant flippantly (thus the smiley), but, yes, what I meant was that GPG did not trust the key ...

I don't think keysigning parties are the only way to get signatures ... Jon and I verified fingerprints over the phone recently, for example. Sending me a signed email with info that only the entity I know as "Neil Brown" (who ever you are in real life :) would know would go a long way toward establishing the connection between that key and that entity ... enough that I might be willing to sign the key for example ...

jake

On keys, trust, and webs

Posted Oct 10, 2011 0:33 UTC (Mon) by vonbrand (subscriber, #4458) [Link]

<paranoid>Perhaps you have the real one kidnapped somewhere...</paranoid>

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds