[SGVLUG] Keysigning
Diane Trout
diane at ghic.org
Tue Dec 3 19:25:14 PST 2013
> While I'm not entirely against the concept of the WoT, I must also agree
> that a physical encounter with a random stranger who happens to share a
> LUG mailing list, isn't a guarantee that the person is trustworthy. That
> is an entirely different matter, and probably way off-topic here, but I
> find it somewhat relevant to the statement above.
Actually that's a good point.
I was trying to imagine situations where I thought the WoT was most likely to
work and I had been thinking something like Debian or Python which are
geographically distributed but still fairly tightly knit communities are the
best case situations.
When someone new joins, Alice, there's a good chance that their key will be
signed by someone who already has a long history with the community, Bob.
Because Bob has has been around forever the other community members have
reason to trust his ability to verify Alice's identity.
Also since Alice was probably interacting with others over the Internet before
going through the pain of getting her key signed, other members already had
reason to know her.
The key signing is providing a way to reduce the risk that someone else,
Mallory, can impersonate Alice -- which is a risk because they only all see
each other every few years at a conference.
More information about the SGVLUG
mailing list