Stephen writes:
Does my signature on this message make you trust
it more than, say, the ten ads you got this morning
for Viagra?
Your signature tells me nothing, its what I kinow about your private key
that is significant.
If there is someone I trust that signs a statement that says that they have
authenticated the business address of the preson sending the message I can
have a certain level of confidence that it is not spam. The vast majority of
the spams sent are out and out frauds. These people do not want to leave
behind contact addresses.
If there is someone who in addition says that they have audited the sender
or obtained some sort of anti-spam bond from them then the level of
confidence may be higher.
It there is someone who states that the private key corresponding to the
public key in question is embedded in secure hardware that enforces a
particular signing policy then you can have a higher degree of confidence
still (note, this is not a standards suggestion, certain implementations of
that concept are covered by pending patent claims).
PKI is a tried, tested and deployed solution at this stage. It works really
well at the enterprise level and there is a whole industry based on it.
Don't confuse the fact that PGP or webs of trust or whatever fail to solve a
problem with what PKI can and has achieved. There is a reason that
infrastructure is necessary.
Phill