It feels like you either have a misunderstanding of how the WoT is supposed to work that leads you to false conclusions on how best to use it... only succeeding in making it too annoying for other people to be bothered working with it.
You come very close to saying that you want the Internet to be automatic and trustworthy. Pick one or the other; both are not possible today.
I don't use https because I'm too much of a stingy anarchist to pay for a key.
So why don't you use a free certificate from startssl.com?
Just check it out. Address in Israel. No thanks.
You can retain a copy of my public key on your compter. Then you can trust any signed message from me to be from the same source as the previous signed message from me.
Someone could make a key with the same details, get it to me somehow, and I would have no choice but to accept it
"get it to me somehow, and I would have no choice but to accept it"? You allow random strangers to update your hard disk? I don't.
It is not on any "KeyServer"
I correct myself. The truth is that as far as I can recall I have never put it on any keyserver. What other people may have spidered and copied I can not control. I was under the impression that KeyServers were voluntary. I guess they're just a newer kind of insecurity.
Actually I've had two keys. A year or two ago I lost my private key and had to create a new key pair. I don't know whether the keyserver you listed has the old one or the new one. I hated to do that; my old PGP key pair predated the Internet. How did I distribute it? By hand.
The new one has more bits. I guess that the number of bits you need in your key depends on how powreful computers are; I think my first key had only 256 bits which was safe from cracking back in 1992. Maybe we'll have to change all our keys every few years.
Later, you say "and the public key you get from my web site should confirm the signature."
In my defense I said "confirm the signature, not prove the signature. The public key on my web site confirms the source of the message matches the site, but it does not 'prove' anything.
Proof? Don't make me laugh. A few years ago I lost my passport and had to go to the U.S. Consulate in Vientiane to get a new one, so even my passport can be doubted. You could ask my mother or father to vouch for my name, but they're dead. If you want fun, search for "Andy Canfield" on Facebook; there are maybe a hundred of us scattered all over the planet.
But I can't trust your site, because it's not HTTPS (which isn't perfect, but is better.) You can get free SSL certs.
I will look into that; I could not get a free cert when I studied HTTPS a few years ago.
And I can't trust your key because it's not in the web of trust.
You could say that I have my own 'web of trust' which are people who have personally met me. You want to join? If you ever come to Thailand say "Hello".
I could never trust any signed message to actually be for you, and I can't trust the information I have to encrypt something to you.
Wrong. You can retain a copy of my public key on your compter. Then you can trust any signed message from me to be from the same source as the previous signed message from me. Who is "me" is an unanswerable issue. You can use my public key to encrypt something to me, and be confident that only the guy with "my" private key can decode it. But once again, who is "me" is an unanswerable issue.
Thinking about it, I suggest the most confidence you can get is by sending me an e-mail arranging for a Skype call. Then in real time you can see my face, hear my voice, and I can show you my passport. But I don't run Skype all the time.
Even if the message was legit how can I know my routing or DNS isn't be tampered with? How do I verify andycanfield.com is really yours?
You can try setting your DNS server IP address to 8.8.8.8. That's Google's dedicated DNS server. Whatever Google says is by definition true.
Ultimately, it comes down to the question "why do you care who Andy Canfield is?" Are they planning to exchange money for goods or services? Write you a mash note? Collect on a debt?
I am not a part of the world wide financial network. Nobody can steal my credit card number because I have no credit card. I don't borrow money so if you are trying to collect on a debt you're a liar. HSBC once gave me overdraft protection and I told them to take it off; when I run out of money I want to run out of money. You want to write me a mash note? Fine, please include a picture.
Professionally I create software and upload it through the Internet. The customer likes what he gets and deposits money into my bank account. I take it out with my ATM card and buy things in my home town. It may be less convenient, but it's a LOT more secure. And if you don't pay me, I stop doing things for you.
The Internet is ***NOT*** secure. We used to think it was, but Ed Snowden and the NSA proved us wrong. Someday, perhaps, it will be secure again. When it is, let me know.
The NSA can't subvert a keyserver.
HAH! Which rock were you born under? I use 'whois' and 'dig' to find out who owns the IP address, and anything with a U.S. IP address is questionable Under US 'Law', the NSA can do anything it pleases and even if you're forced into it it's illegal to tell anyone about it.. 'andycanfield.com' is registered in Thailand and points to a hardware box in Bangkok where I myself have installed and maintain Ubuntu Linux. AFAIK the NSA can NOT subvert my server, although of course they can subvert the routers leading to the server.
Also, I see that your key is on a keyserver: http://pgpkeys.mit.edu/pks/loo...
I have NEVER posted my key on any keyserver. What other people chose to spider and copy is out of my control.
Good points.
I rely on the domain name www.andycanfield.com. If somebody is faking that on your network then there is nothing I can do about it. However, I point out that if the message "from me" is signed, then it was signed by my PRIVATE key and the public key you get from my web site should confirm the signature.
You left off the top level: Who the H* is "Andy Canfield" anyway? This body? That site? My passport? Police in this town wave to me every morning, but can't spell my name in English. I have decided that "Andy Canfield" is anybody who controls my secret key, regardless of her name or address.
I don't use https because I'm too much of a stingy anarchist to pay for a key.
My GnuPG public key is on my web site (www.andycanfield.com). It is not on any "KeyServer"; I don't believe in key servers, that's just another layer that the hackers can break and the NSA can subvert.
I use Thunderbird; the interconnection between that and encryption is clumsy [ e.g. if you haven't got a key for somebody, don't encrypt the message, dummy!]. But it works. As long as it's smarter than Keith Alexander and Vladimir Putin, I'm satisfied. The important thing is that PGP is a ***standard***. Any idiot can come up with something better, but he can't make it a standard, so my correspondant on the other end of the wire can't use it.
Oh, and my e-mail address is on Yandex, which is in Moscow.
I once had two ducks. I wondered what I looked like to my ducks. I decided that I look like a duck. All the extra powers that make me more than a duck - speech, thinking, telphones, etc. - are beyond the duck's imagination. To a duck, I look like a duck.
Then I wondered what an alian would look like to me, a human. I decided that an alien would look just like another human. So I began to wonder what advanced characteristics I couild watch out for. Successful businessman, good luck, healthy long life, mysterious origin, that sort of thing.
I found one. At the time he was my boss. He pretends to be Chinese, but hey, what westerner really knows what Chinese people look like?
They have landed already; and they are friendly. I was friendly to my ducks, and that Chinese family is friendly to me.
I disagree with the headline here. The presumption is that the public merely thinks, but may be wrong, and scientists actually know facts.
Everyone listens to those whom they respect. Some are taught to respect firebrand preachers; some believe any idiot with a PhD. Some look for truth in Biblical quotes, but can't read; others believe in scientific method, but couldn't explain scientific method if you gave them a cheat sheet.
Example: Is the world flat or round? Well, people we respect say that it is round. But how many average citizens have a clue to the evidence?
Never test for an error condition you don't know how to handle. -- Steinbach
