[conspire] Offering GPG/PGP Workshop at CABAL

[Daniel Gimpelevich]

On Wed, 14 May 2008 12:35:42 -0700, Rick Moen wrote:

> You seem to have missed the main point:  A crypto identity that merely
> says "Hi, I represent person X.  Trust me" has a bootstrapping problem.

Absolutely, and just like the bootstrapping problem a computer has when
powered on, this problem is easily worked around.

>> The more a particular signature is used by an individual, the more
>> obvious it becomes that that's whose signature it is.
> 
> And how does one know that an S/MIME cert _is_ from a specific
> individual, if that individual neither conveyed it to you directly nor
> paid to have it attested to by a notary whom you both agree to trust?

You just quoted the answer to this question, yet you still ask it...

> I believe you (that you cannot see that).
> 
> You presumably believe that you can get people to take S/MIME certs
> seriously without paying for Thawte (or similar) notary services.  In my
> experience, that is just not the case.

If you have any stories of a GPG signature being accepted anywhere an SSL
signature certified through the CAcert web of trust had just been
rejected, please share.

> Nobody with a grain of sense trusts that cert to begin with, except me
> and the people I've helped verify that it really is reliable.  Which I
> believe also helps underline my point.

I believe the latter part of that _is_ my point.