Re: GPG USAGE HOWTO 1 (was: Re: AM report on Thierry Bourrillon)
Hi Ralf!
On Tue, 17 Apr 2001, Ralf Treinen wrote:
> > Congratulations, you have just allowed me to impersonate Peter Palfrader
> > <sirpeter@gmx.net>, who happens to be an all together different Peter
> > Palfrader than me.
>
> If I only signed the first one you enter the web of trust, and
> hence can sign yourself the other one.
Trust is not something that can be handled automatically.
It all depends on how much you trust the people in the chain to do good
key signing.
signed signed
(me) --------> (you) -------> Mallory <good@noreply.org>
I trust you and myself to do keysignatures only when everything is correct,
Therefore I can assume that good@noreply.org actually is Mallory's address.
signed signed signed
(me) --------> (you) -------> Mallory <good@noreply.org> --------> Mallory <bad@noreply.org>
I trust you and myself but I've no reason at all to trust Mallory. Don't
get me wrong, I trust that good@noreply.org acutally _is_ Mallory, but her
signatures are worthless because I do not trust her.
So bad@noreply.org might be Mallory's email address or not. I have no way
to find out.
otoh if you signed bad@noreply.org directly:
signed signed
(me) --------> (you) -------> Mallory <bad@noreply.org>
and I trusted you, I would take your word for it and Mallory could trick me
into believing she was the person behind bad@noreply.org, based on YOUR
ASSERTION.
yours,
peter
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred. | : :' : By professionals,
| `. `' for professionals
http://www.palfrader.org/ | `- http://www.debian.org/
Reply to: