Date: Sun, 15 Jan 95 20:46:34 +0000
From: vitor(_at_)uminho(_dot_)pt
But about about those hours and hours lost trying to build a
certification path to a PGP public key? A simple finger or e-mail
operation may give the common user a certain degree of trust (and PGP
allows, fortunately, different levels of trust), but is it really
safe? Maybe it takes a great amount of time to get things going, but
it should compensate, in te long terms.
In practice, people who use PGP hasn't found this to be a big problem.
It certainly hasn't taken me hours and hours; most of the time it just
hasn't been a problem. Consider: most of the people that I want to
contact with something important, where I really care about the public
key being right (say, sending news about a vulnerability to the CERT,
for example) I'll either have their key certified already, or I can
place a call to their (well-published) phone number, and ask them for
the PGP key fingerprint.
And, there are other straight forward solutions for eliminating a huge
part of the problem --- for example, my business card has my PGP key
fingerprint on it; hence each time I hand out a business card to someone
whom I might want to communicate securely, they will be able to verify
my PGP key from my key fingerprint.
My point is: if you really want to do the things properly ( in
verifying other's public key), the use of CA and PCA should be of a
great advantage.
Perhaps; but you make two assumptions here. (1) that real, production
CA's will actually exist. (I think a very small number of PCA keys have
finally been issued under the IPRA, but I don't know of any CA's yet).
and (2) that people normally do a lot of communications where it's
important to tie the key to a physical identity AND where the two
physical people haven't had a chance to meet in person. (After all, if
you can meet in person, it's very easy to exchange PGP key
fingerprints.)
- Ted