Re: kernel.org status: establishing a PGP web of trust
From: Valdis . Kletnieks
Date: Fri Oct 07 2011 - 14:23:47 EST
On Fri, 07 Oct 2011 12:59:30 EDT, Arnaud Lacombe said:
> How so ? The public key BOb has is mathematically tied to the private
> key Alice has. If Bob sends Alice a mail, and then, she send a reply
> signed with her key, which is tied to the mail address used by Bob.
> Then, Bob successfully verifies the signature. This proves Alice has
> control over the key tied and the mail address, don't it ?
As I said - yes, that *DOES* prove control over key and email address.
The point is that signing something random does not prove anything about
control of the *KEY ONLY* that isn't also proved by using the key to sign
another key.
Attachment:
pgp00000.pgp
Description: PGP signature