[conspire] Offering GPG/PGP Workshop at CABAL
daniel at gimpelevich.san-francisco.ca.us
Wed May 14 12:01:43 PDT 2008
On Wed, 14 May 2008 12:35:42 -0700, Rick Moen wrote:
> You seem to have missed the main point: A crypto identity that merely
> says "Hi, I represent person X. Trust me" has a bootstrapping problem.
Absolutely, and just like the bootstrapping problem a computer has when
powered on, this problem is easily worked around.
>> The more a particular signature is used by an individual, the more
>> obvious it becomes that that's whose signature it is.
> And how does one know that an S/MIME cert _is_ from a specific
> individual, if that individual neither conveyed it to you directly nor
> paid to have it attested to by a notary whom you both agree to trust?
You just quoted the answer to this question, yet you still ask it...
> I believe you (that you cannot see that).
> You presumably believe that you can get people to take S/MIME certs
> seriously without paying for Thawte (or similar) notary services. In my
> experience, that is just not the case.
If you have any stories of a GPG signature being accepted anywhere an SSL
signature certified through the CAcert web of trust had just been
rejected, please share.
> Nobody with a grain of sense trusts that cert to begin with, except me
> and the people I've helped verify that it really is reliable. Which I
> believe also helps underline my point.
I believe the latter part of that _is_ my point.
More information about the conspire