(in response to a topic mentioned in various threads) I agree that neither CA-verification nor WoT-verification is as useful as Key Fingerprint-verification for secure communication between crypto-aware individuals. After all, CA's can be subverted and WoT is probably best used as a back-up option when direct key verification is not possible. Key Fingerprints can be verified in both PGP and S/MIME, but neither system enforces it. I would prefer for Key Fingerprint-verification to be more central to the system.
--- [EMAIL PROTECTED] wrote: ... > The hierarchical verisign model is useful when one wishes to > verify that something comes from a famous and well known > name --that this software really is issued by Flash, that > this website really does belong to the Bank of America. In > this case, however, only famous and well known names need > their keys from verisign. No one else needs one. > > When one wishes to know one is really communicating with Bob, > it is best to use the same channels to verify this is Bob's > key, as one used to verify that Bob is the guy one wishes to > talk to. The web of trust, and Verisign, merely get in the > way. ... --- Eric Murray <[EMAIL PROTECTED]> wrote: ... > And to be honest, exactly zero of the PGP exchanges I have > had have actually used the web of trust to really verify a > PGP key. I've only done it in testing. In the real world, I > either verify out of band (i.e. over the phone) or don't > bother if the other party is too clueless to understand what > I want to do and getting them to do PGP at all has already > exausted my paticnce. ... ===== end Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com