The "Web of Trust" model is based on people physically meeting and exchanging keys. You depend on Alice and Bob and yourself to meet in person. Alice verifies that Bob is Bob and that you are you. You all 3 exchange keys. This is the ONLY secure way to do it. This is not a very practical model when dealing outside your locale or area. In addition, what do you do if say Bob's keys have been compromised/stolen from his machine. Do you depend on a signed or unsigned email from Bob telling you what happened and here are my new keys? Catch-22.
I would not say that this is a better way, just a different way. Phil ----- Original Message ----- From: "Chris Wilkes" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 18, 2001 12:05 PM Subject: Re: Small office Firewall. > Anyone use GNUPG? It uses a "web of trust" that fellow humans certify you > are who you are. IE if Alice says that Bob is who is is and you trust > Alice then you trust that the mail signed by Bob is really from Bob. > > This approach is radically different from the PGP way pushed by Network > Associates where there is a root authority stamping everyone's > certificate. This is almost a perfect example of how the GNU way is > better: the potential collapse of the root person might cause the downfall > of the system. See also where Verisign signed a fake certificate for > someone they thought worked for Microsoft. > > http://www.gnupg.org > > Chris > >
