Mailing List Archive

gpg keys; GSWoT & PGP Global Directory Key
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm seeing a bunch of keys in my keyring with GSWoT(1) and PGP Global
Directory(2) signatures on them. Obviously both websites encourage you
to download their keys and trust them. While I realize what keys you
trust is totally up to you, I'm wondering what fellow people do. My
idea was to /maybe/ add them in as moderates that way they don't run my
keyring for me, but still vouch for people where necessary.

1)http://www.gswot.org/
2)http://www.pgp.com/products/globaldirectory/index.html

- --
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH7UNndheOldgSlQgRAtMfAJ9NBp0+gN+n6rqrjdSIr7gLE1s4WgCfc55b
QyXV8k4NDKvGGsd9xXDRNv8=
=hJiF
-----END PGP SIGNATURE-----
--
gentoo-security@lists.gentoo.org mailing list
Re: gpg keys; GSWoT & PGP Global Directory Key [ In reply to ]
Hi Eric,
on Fri, Mar 28, 2008 at 03:13:43PM -0400, you wrote:
> I'm seeing a bunch of keys in my keyring with GSWoT(1) and PGP Global
> Directory(2) signatures on them. Obviously both websites encourage you
> to download their keys and trust them. While I realize what keys you
> trust is totally up to you, I'm wondering what fellow people do. My
> idea was to /maybe/ add them in as moderates that way they don't run my
> keyring for me, but still vouch for people where necessary.

As far as I can see, the PGP Global Directory does no verification apart
from checking that an email address exists, so its signature isn't worth
much for the WoT. The GSWoT signatures on the other hand mean the owner
of the key has been personally checked by an introducer. It's a matter
of taste but I usually don't sign role account keys, I think they should
be signed by members of the institution (the introducers in this case)
whom I can choose to trust because their identity can be verified. So as
I wanted to trust the GSWoT key, I just imported some intermediate keys
to build a couple of marginal trust paths via people I've met
personally.

cheers,
Matthias
--
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665
Re: gpg keys; GSWoT & PGP Global Directory Key [ In reply to ]
Matthias Bethke wrote:
> As far as I can see, the PGP Global Directory does no verification apart
> from checking that an email address exists, so its signature isn't worth
> much for the WoT. The GSWoT signatures on the other hand mean the owner
> of the key has been personally checked by an introducer. It's a matter
> of taste but I usually don't sign role account keys, I think they should
> be signed by members of the institution (the introducers in this case)
> whom I can choose to trust because their identity can be verified. So as
> I wanted to trust the GSWoT key, I just imported some intermediate keys
> to build a couple of marginal trust paths via people I've met
> personally.

http://xkcd.com/364/

--
Randy Barlow
http://electronsweatshop.com
--
gentoo-security@lists.gentoo.org mailing list
Re: gpg keys; GSWoT & PGP Global Directory Key [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Randy Barlow wrote:

| http://xkcd.com/364/
|
ROTFLMAO!!!!! One more reason to love xkcd.

- --
Eric Martin
PGP fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH8nSwdheOldgSlQgRAnZ8AKDy7ce9lxA5Q/EYgjm1kCvk/ukG+wCgye10
gNMktf03g7da1HqFXNNixOU=
=2sdx
-----END PGP SIGNATURE-----
--
gentoo-security@lists.gentoo.org mailing list
Re: gpg keys; GSWoT & PGP Global Directory Key [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthias Bethke wrote:
| Hi Eric,
| on Fri, Mar 28, 2008 at 03:13:43PM -0400, you wrote:
|> I'm seeing a bunch of keys in my keyring with GSWoT(1) and PGP Global
|> Directory(2) signatures on them. Obviously both websites encourage you
|> to download their keys and trust them. While I realize what keys you
|> trust is totally up to you, I'm wondering what fellow people do. My
|> idea was to /maybe/ add them in as moderates that way they don't run my
|> keyring for me, but still vouch for people where necessary.
|
| As far as I can see, the PGP Global Directory does no verification apart
| from checking that an email address exists, so its signature isn't worth
| much for the WoT. The GSWoT signatures on the other hand mean the owner
| of the key has been personally checked by an introducer. It's a matter
| of taste but I usually don't sign role account keys, I think they should
| be signed by members of the institution (the introducers in this case)
| whom I can choose to trust because their identity can be verified. So as
| I wanted to trust the GSWoT key, I just imported some intermediate keys
| to build a couple of marginal trust paths via people I've met
| personally.
|
| cheers,
| Matthias
Ok, thanks. I don't have those marginal trust paths but I do have a few
introducers near me and I was planning on getting together and signing
keys. I'll have to bump those plans up. Thanks for the pointers.

- --
Eric Martin
PGP fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH8nlpdheOldgSlQgRAjFbAKDALJzGQKNmnJtmIy5Cer99MYQf7QCfYdI+
MqtkNSYdxoqXT2Av0JO51FY=
=Nb2m
-----END PGP SIGNATURE-----
--
gentoo-security@lists.gentoo.org mailing list