Cart
[Home] [By Thread] [By Date] [Recent Entries]
> On Wed, 2004-06-16 at 10:53, Danny Ayers wrote: > > Yep, fyi, Edd Dumbill has done a little guide to PGP-signing FOAF > > profiles [1]. Note the caveat: > > > > [[ > > Of course, anyone can concoct a fake PGP key with your email address, > > just as they can lie about who was the |dc:creator| of a file. What > > makes the PGP signature useful is that PGP public keys hook into a web > > of trust, so you can decide how much you trust what a person with > > such-and-such a key asserts. > > ]] > > > > Signing alone almost certainly isn't the whole solution, but one piece > > in a greater puzzle. > > > > This is very true. If I have a picture annotation that claims to be from > "Fred" that says "This is a picture of the summit of Everest". I have to > know: > > 1) Who is Fred ? > 2) Did this really come from that Fred (and not some person pretending > to be Fred) ? > 3) Did someone else modify it in transit ? > 4) What authority does Fred have to speak about this picture ? > 5) What authority does Fred have to identify pictures of the summit of > Everest ? > > Certificates and signing can only really address 1, 2 and 3 and can > really only partially answer 1 in terms of information held by the > certificate authority. There is a whole other aspect, too. Suppose that you decide that Fred's credentials are really in order, to what extent can you believe what he says? A person can be untrustworthy on one or many subjects even though his identity is well-established. Cheers, Tom P
|
