[SGVLUG] Keysigning

[Diane Trout]

> While I'm not entirely against the concept of the WoT, I must also agree
> that a physical encounter with a random stranger who happens to share a
> LUG mailing list, isn't a guarantee that the person is trustworthy. That
> is an entirely different matter, and probably way off-topic here, but I
> find it somewhat relevant to the statement above.

Actually that's a good point. 

I was trying to imagine situations where I thought the WoT was most likely to 
work and I had been thinking something like Debian or Python which are 
geographically distributed but still fairly tightly knit communities are the 
best case situations.

When someone new joins, Alice, there's a good chance that their key will be 
signed by someone who already has a long history with the community, Bob. 
Because Bob has has been around forever the other community members have 
reason to trust his ability to verify Alice's identity.

Also since Alice was probably interacting with others over the Internet before 
going through the pain of getting her key signed, other members already had 
reason to know her. 

The key signing is providing a way to reduce the risk that someone else,  
Mallory, can impersonate Alice -- which is a risk because they only all see 
each other every few years at a conference.