On 9/6/13 6:24 PM, Ted Lemon wrote:
It's naive to think that keys are any more trustworthy than this,
because any signature's trustworthiness is only as good as the
trustworthiness of the individual who decides to sign it. If you
trust a key signed by someone you don't know, but who someone you
know trusts, just how trustworthy is that?
I actually don't think that pgp is likely to be particularly
useful as a "serious" trust mechanism, mostly because of
issues like this. I don't believe that it's an argument for
less rigor in how we assign trust to signatures but rather
an example of several underlying problems, including lack
of agreement about what it actually means to sign something,
acknowledgment that you don't know much about how the
people whose keys you're signing think about trust ("My friends
are fine but some of their friends are jerks"), etc.
One of the useful things that PKI provides is some agreement,
at least, about what we expect from certification authorities
and what it means to issue and sign a certificate. That is
to say, the semantics are reasonably well sorted-out, which is
not the case with pgp.
Melinda