| 1 |
Hi Eric, |
| 2 |
on Fri, Mar 28, 2008 at 03:13:43PM -0400, you wrote: |
| 3 |
> I'm seeing a bunch of keys in my keyring with GSWoT(1) and PGP Global |
| 4 |
> Directory(2) signatures on them. Obviously both websites encourage you |
| 5 |
> to download their keys and trust them. While I realize what keys you |
| 6 |
> trust is totally up to you, I'm wondering what fellow people do. My |
| 7 |
> idea was to /maybe/ add them in as moderates that way they don't run my |
| 8 |
> keyring for me, but still vouch for people where necessary. |
| 9 |
|
| 10 |
As far as I can see, the PGP Global Directory does no verification apart |
| 11 |
from checking that an email address exists, so its signature isn't worth |
| 12 |
much for the WoT. The GSWoT signatures on the other hand mean the owner |
| 13 |
of the key has been personally checked by an introducer. It's a matter |
| 14 |
of taste but I usually don't sign role account keys, I think they should |
| 15 |
be signed by members of the institution (the introducers in this case) |
| 16 |
whom I can choose to trust because their identity can be verified. So as |
| 17 |
I wanted to trust the GSWoT key, I just imported some intermediate keys |
| 18 |
to build a couple of marginal trust paths via people I've met |
| 19 |
personally. |
| 20 |
|
| 21 |
cheers, |
| 22 |
Matthias |
| 23 |
-- |
| 24 |
I prefer encrypted and signed messages. KeyID: FAC37665 |
| 25 |
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 |
Archives