Weaving a PGP Web of trust..proposal? comments? (fwd)

[Ian Brown]

> A lawyer asked to say that a client has 'proved' himself to be who he
> says he is could be being asked to undertake expensive and fruitless
> investigations.

And what would "proving" who you are in this context mean anyway?

If I wanted to communicate securely with someone from this list who I'd
never met, I wouldn't care what their "name" was: I would want to talk to
the person who sent the messages that I am contacting them about. Once more
people sign their posts, I would simply use the key that had been used to
sign the posts of interest, regardless of the name on it.

Read the Simple Public Key Infrastructure Internet-drafts at
http://www.ietf.org/ for a better explanation than mine of why global
certification namespaces (as used by PGP and X.509) are silly.

(Ducking for cover ;)

Ian.

PS I help run a couple of CAs to give people a non-escrowed alternative to
TTPs, not because I believe they're the right way to set up a PKI ;)