Re: [Gnu-arch-users] Re: Common merge request format

[James Blackwell]

> Without further thought, I'd trust code that had that signature affixed.
>     I trust Andrew not to produce malware.
>
> But is that key in fact his?  I've never met him, and he's never given 
> me his fingerprint.  My only experience with that key is through the 
> list.  So ultimately, I have to trust the list; trust that it's not 
> reprocessing his messages so affix its own signatures.  And if I don't 
> trust the list, I can't be sure that the next message I get with that 
> key really comes from Andrew.

If you're new to the list, and everybody to the list, of course! 

However, even if you're new to the list, not all of the people that you
find on the list may be new to you. Imagine if you had met and
exchanged keys with Lord, Suffield and I. Now, you come across a
signature that you don't know the veracity of. That's ok. You check the
signatures, and you see that Tom, Suffield and I have all signed it. The
following can be established:

1. A priori, Lord, Suffield and Blackwell have keys A,B and C 

2. Keys A, B and C have all signed that key D is authentic

3. If you fully trust that Lord, Suffield *or* Blackwell follow the rules 
   when signing another person's key, you can be comfortable with the 
   knowledge that key D is authentic.

4. If you "mostly" trust Lord, Suffield *and* Blackwell follow the rules
   when signing another person's key, you can now be comfortable wih the
   knowledge that key D is authentic. The less you trust any of the
   endorsers, the more endorsers you need for that comfort.

5. If you have no trust* in Lord, Suffield and Blackwell (or anybody
   other signature on the key, for that matter), then, and only then,
   do you have _no_trust_ in the authenticity of key D.


Whats really nice about public cryptography tools is that you can
essentially automate a great deal of the process. Once you see a key,
you can edit how much you trust the authenticity of a key, how much you
trust that a person will do the job right when they sign other keys. If
you meet somebody and establish their identity, you can even sign their
key, to send a message to others that trust you that "Yeah, this is
other key here is real too".


* For example, I've got nine or ten people that over the years have
  signed my key. As likely don't know them, those signatures probably
  have no value to you.


-- 
James Blackwell          Please do not send me carbon copies of mailing
Smile more!              list posts. Such mail is unsolicited. Thank you!

GnuPG (ID 06357400) AAE4 8C76 58DA 5902 761D  247A 8A55 DA73 0635 7400