[linux-elitists] GPG luser rant

Joey Hess joey@kitenet.net
Fri Apr 13 14:23:34 PDT 2001


Karsten M. Self wrote:
> > I wish it were not the case, but there are not yet very workable
> > real-world systems for distributing, managing, and revoking keys --
> > PKI/certificate authority or web-of-trust models are both problematic
> > in those areas if you aim for both day-to-day practicality and
> > meaningful authentication.  Much as I would like to hope that these 
> > are early implementation issues that will be ironed out, the worst of
> > them appear essential to the authentication models concerned.
> 
> There is a distributed public keyserver network.  This seems to work
> reasonably well from a data distribution standpoint.  I'd be interested
> in knowing what specific problems exist with it.

I'm not sure what Rick was getting at WRT "distributing, managing, and
revoking keys", for which the keyservers seem to work fine, but this
illistrates the rest of it:

gpg: Good signature from "Karsten M. Self <kmself@ix.netcom.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Even though I've met you in person, we've never exchanged keys, and
there is no trust path between us that gpg can find in my keyring[1]. So
as far am I'm concerned, your signature means little (and I'm mostly
assummuing that I'm talking to Karsten Self based on context and
content).

The web of trust concept _does_ work in small, tightly-connected
societies. For example, Debian's web of trust is nearly fully connected,
with multiple redundant paths and only probably 4 degrees of separation
between any two people. But I haven't seen the web of trust concept work
nearly as well in larger societies or world/net at large.

-- 
see shy jo

[1] Actually, I'm not even sure gpg bothers to try to find one.



More information about the linux-elitists mailing list