Alexandru writes: > Can't I just create a public key with the Harald's > name and email address and then post to this list > claiming I'm Harald? Sure, but that wouldn't do much good, because of the way PGP's key infrastructure works. See, with PGP, you NEVER trust a key just because it claims to belong to a specific entity. You trust a key ONLY when the entity to whom that key belongs communicates the key to you directly and securely (as by handing you a diskette in person). Thereafter, you can use that key, which you can now trust to be valid, as a source of validation for other keys, in that you can choose to trust any other key that is signed by the one key that you already trust (the degree to which you do this is up to you, and depends mainly on how much you trust the owner of the first key as a reliable "introducer" of other entities and their keys). Thus, you'd never trust a key just because it was on a public server, but you might trust it if it were signed by someone whose key you already trust, and you might trust it if you received the key directly from its owner. PGP's great advantage is that it does not impose any specific trust model, nor does it require that everyone trust a single certification authority. This is a huge benefit compared to many other public-key infrastructures.