Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:
On Wed, Mar 25, 2015 at 6:25 PM, Christoph Anton Mitterer
On Wed, 2015-03-25 at 22:56 -0500, Phillip Hallam-Baker wrote:
Web of Trust is a fine academic
theory but it is not how OpenPGP is really used in the real world.
How else do you use it?
I see people using fingerprints directly mostly. Some download them
from key servers.
By Web of Trust I mean actually following a chain to check a key.
I walked a colleague through doing that today: she needs to send me a
secret, and I can't take time to call her and read a fingerprint.
Fortunately, my key had been signed by many other colleagues, and she
had trusted keys from a few of them. It worked exactly as designed.
It's similarly helpful for new peole joining that group---new staff, in
that case. This is just an anecdote, of course, but so is "I have
never...". I expect there are little cells of WoT usage scattered
around, and little cells of blind trust, and little cells of
read-the-fingerprint---when strangers meet.
No, I think there are quite a few things that we can do today that
change the WoT game. People carry smart phones with near field
communication, barcode, cameras. So signing can be made a lot simpler.
I would be interested to see a tag on keysignatures. That would let me
play with automatic signatures and such without polluting the WoT. I
don't directly see how to do this---is this what "Key Endorsements" are
"I reserve the right to evolve my views, and state that views I previously
expressed may have been somewhere along the spectrum from insufficiently
nuanced through ill-informed to dead wrong."
openpgp mailing list