[ale] PGP/GPG Session... RFC...

David S. Jackson deepbsd at earthlink.net
Tue Oct 15 18:58:51 EDT 2002


On Tue, Oct 15, 2002 at 05:46:47PM -0400 Michael D. Hirsch <mhirsch at nubridges.com> wrote:
> On Tuesday 15 October 2002 04:04 pm, Michael H. Warfield wrote:
> > On Tue, Oct 15, 2002 at 03:51:55PM -0400, Michael D. Hirsch wrote:
> > > On Tuesday 15 October 2002 11:29 am, Michael H. Warfield wrote:
[...]
> > > > 	I can do ONE of the following...
[...]
> > 	Let me refine my statement a bit...  I can only do one of those
> > in a given session.  
[...]
> > 	I guess I should have said "I can do ONE of the following for the
> > December session..."
> 
> Then I vote for a general gpg talk that would bring people up to the 
> point that they could go hame and create keys, end mail, etc., followed 
> by a key signing party in February, or whenever your schedule permits.

My vote would be to explain the "web of trust" concept in some
detail.  

I've been using pgp/gpg for quite some time, but I feel like I'm
a newbie when it comes to actually knowing which keys to trust
and which to not trust.  My normal behavior is to just go ahead
and trust that a key belongs to whoever says it is theirs, but I
only get away with that because I don't really deal with
information or people that require authentication (the
consequences of false impersonation haven't appeared risky enough
to motivate me to upgrade my behavior I guess).  

It seems like a PITA to actually phone people up and ask for
their key's fingerprint, especially when I've never actually met
most of the people whose gpg/pgp keys I encounter.  When all you
have is an online identity for someone, how do you validate their
key signature?  How do you know they are really signing it
themselves?  Further, it's possible that I have been conversing
with someone online who has been operating under an assumed
identity for quite some time and that that alter-identity is the
only identity I know.  But how could I really verify that the
identity of someone I'm corresponding with is genuine and that
they simply weren't just the first person to create a keypair for
an assumed identity?

Also, I sometimes have questions about the practical use of
pgp/gpg, like, "Is it possible to specify more than one keyserver
in your $HOME/.gnupg/options file, so that if one keyserver is
down, swamped, or doesn't seem to have a key you're looking for,
it would automatically try a different server?"

TIA!

-- 
David S. Jackson                        dsj at dsj.net
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
God is a comic playing to an audience that's afraid
to laugh.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list