Alexandru writes:
Can't I just create a public key with the Harald's
name and email address and then post to this list
claiming I'm Harald?
Sure, but that wouldn't do much good, because of the way PGP's key
infrastructure works.
See, with PGP, you NEVER trust a key just because it claims to belong to a
specific entity. You trust a key ONLY when the entity to whom that key
belongs communicates the key to you directly and securely (as by handing you
a diskette in person). Thereafter, you can use that key, which you can now
trust to be valid, as a source of validation for other keys, in that you can
choose to trust any other key that is signed by the one key that you already
trust (the degree to which you do this is up to you, and depends mainly on
how much you trust the owner of the first key as a reliable "introducer" of
other entities and their keys).
Thus, you'd never trust a key just because it was on a public server, but
you might trust it if it were signed by someone whose key you already trust,
and you might trust it if you received the key directly from its owner.
PGP's great advantage is that it does not impose any specific trust model,
nor does it require that everyone trust a single certification authority.
This is a huge benefit compared to many other public-key infrastructures.