On Jul 11, 2024, Greg Wooledge wrote: > On Thu, Jul 11, 2024 at 17:23:43 +0500, 타토카 wrote: > > But, what do you mean: "Because you haven't established a chain of trust > > from yourself to any of the signatures." > > Imagine someone walks up to you on the street and hands you a contract, > which is signed by someone you've never heard of. > > You don't know the guy who gave you the contract. You've never seen him > before. So, you don't trust him. [...]
I always liked the analogy of schoolwork / notes.
Say you missed last Friday's class, and you need the notes (where "the
notes" correspond to "the pgp key in question").
Scenario A: "untrusted" ("website with a link / posted fingerprint")
You run into someone from class, who you don't really know all that
well, but you do know they answer the professor pretty often (and
correctly at that).
Scenario B: "web of trust" ("one or more trusted signatures on that key")
Nearly the same as "A", but the other person is a friend-of-a-friend.
You can ask your friend when you meet them for lunch if you can trust
the classmate's notes.
Scenario C: "fully trusted" ("you made the effort to verify the owner")
You ask you best friend since second grade for their notes. You know
they've been an "A" student since forever, and they take amazing notes.
--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
signature.asc
Description: PGP signature
