Lists Home |
Date Index |
> On Wed, 2004-06-16 at 10:53, Danny Ayers wrote:
> > Yep, fyi, Edd Dumbill has done a little guide to PGP-signing FOAF
> > profiles . Note the caveat:
> > [[
> > Of course, anyone can concoct a fake PGP key with your email address,
> > just as they can lie about who was the |dc:creator| of a file. What
> > makes the PGP signature useful is that PGP public keys hook into a web
> > of trust, so you can decide how much you trust what a person with
> > such-and-such a key asserts.
> > ]]
> > Signing alone almost certainly isn't the whole solution, but one piece
> > in a greater puzzle.
> This is very true. If I have a picture annotation that claims to be from
> "Fred" that says "This is a picture of the summit of Everest". I have to
> 1) Who is Fred ?
> 2) Did this really come from that Fred (and not some person pretending
> to be Fred) ?
> 3) Did someone else modify it in transit ?
> 4) What authority does Fred have to speak about this picture ?
> 5) What authority does Fred have to identify pictures of the summit of
> Everest ?
> Certificates and signing can only really address 1, 2 and 3 and can
> really only partially answer 1 in terms of information held by the
> certificate authority.
There is a whole other aspect, too. Suppose that you decide that Fred's credentials are really in order, to what extent can you believe what he says? A person can be untrustworthy on one or many subjects even though his identity is well-established.