About PGP Signing a File.

[Ouattara Oumar Aziz]

Duncan Lithgow a écrit :
> On Tue, 2007-02-13 at 00:27 +0100, Ouattara Oumar Aziz wrote:
>> The way I understand it is just like Certificates use with SSL. The 
>> trust you put on a key depends on the security organization you are in. 
>> So I may have a key signed by the security team of my company, that key 
>> is trustworthy for anyone in that company but outside that company, it's 
>> not valuable at all.
>> That's why, when I see some people on some mailing list signing there 
>> mail using PGP I just wonder what they want to prove. We have no way to 
>> check the authority behind that key.
> I think you're misunderstanding the way the "web of trust" works. It's
> only got value of you find yourself in the other persons web of trust.
> It's all to do with how many degrees of separation there are between you
> and the person whose key you're looking at. If someone who you trust has
> been thorough in checking the identity of the new key then you can trust
> the new key. And that's the judgement you have to make: "Do I trust that
> the person I know has checked this persons identity?" And if it's one
> further step away the questions becomes: "Do I trust that the person I
> know has only signed keys of people who he knows are thorough in
> checking the identity of new keys they sign?" And so on.
> 
> My key is for example signed by one of the main Danish developers of BSD
> - chances are quite high that you know someone who knows him. I can't
> remember the math but it turns out that it's usually surprisingly few
> degrees of separation between people. The weakness of my key though -
> for example - is that it's only signed by people who live in Denmark -
> so sometimes the connection may be a bit more distant.
> 
> I hope that was a useful explanation. It's quite different from the idea
> of a highly trusted signing authority.
> 
> Duncan
> 

Well explained :) .