User: Password:
|
|
Subscribe / Log in / New account

On keys, trust, and webs

On keys, trust, and webs

Posted Oct 6, 2011 1:21 UTC (Thu) by jake (editor, #205)
In reply to: On keys, trust, and webs by neilbrown
Parent article: On keys, trust, and webs

> [I wonder if the message and the following signature will survive any
> transformations that lwn and your browser do...]

FWIW, Neil, I could verify the signature based on a key that I retrieved from pgp.mit.edu with the following fingerprint:

A539 96E0 95AE 2027 C2DB A965 1B97 DCEA 057E 59BD

but i don't trust that key (yet, anyway) :)

jake


(Log in to post comments)

On keys, trust, and webs

Posted Oct 7, 2011 8:18 UTC (Fri) by neilbrown (subscriber, #359) [Link]

Are you really saying that you don't trust it, or that your gpg tool tells you that you don't trust it?

Because I suspect that in reality you do trust it, at least a little bit. And if I had had the forethought to sign my previous correspondence with you, you would probably trust it a lot more, despite what gpg tells you.

I've been trying to think of non-digital analogies and the idea of "Public Notices" comes fairly close. There are cases were placing a public notice and not getting a response in some reasonable time period means that you can proceed on the assumption that no-one else has an interest in the issue (handling deceased estate is one example I think).

So my original post is like a public notice. If it was faked, you can be pretty sure that the real neilbrown would have found a way to complain. He hasn't yet. Give it time, but if you don't hear anything in a couple of weeks, you can probably increase your trust level substantially.

[alright, I admit it - I just don't like parties and want to find a way to get my access to kernel.org back without having to go to a key-signing party :-) ]

On keys, trust, and webs

Posted Oct 7, 2011 13:38 UTC (Fri) by jake (editor, #205) [Link]

> Are you really saying that you don't trust it, or that your gpg tool
> tells you that you don't trust it?

well, it was meant flippantly (thus the smiley), but, yes, what I meant was that GPG did not trust the key ...

I don't think keysigning parties are the only way to get signatures ... Jon and I verified fingerprints over the phone recently, for example. Sending me a signed email with info that only the entity I know as "Neil Brown" (who ever you are in real life :) would know would go a long way toward establishing the connection between that key and that entity ... enough that I might be willing to sign the key for example ...

jake

On keys, trust, and webs

Posted Oct 10, 2011 0:33 UTC (Mon) by vonbrand (guest, #4458) [Link]

<paranoid>Perhaps you have the real one kidnapped somewhere...</paranoid>


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds