[Freedombox-discuss] Web of Trust Questions
Melvin Carvalho
melvincarvalho at gmail.com
Tue Dec 13 11:16:44 UTC 2011
On 13 December 2011 09:27, John Walsh <fiftyfour at waldevin.com> wrote:
> Hi Everybody,
>
> In the web of trust (WOT), I can create my own identity/key as opposed to a
> Certificate Authority managing my identity/key. I could bring my key to a
> key signing party with proof of identity. Let's say Fred was at the key
> signing party, he checks my proof of identity and signs my key. My
> signed key is uploaded to a key server creating a chain of trust with Fred
> and the people who have signed Fred's key etc.
>
> If I go to Bob's website (WOT cert), Bob checks my credentials through the
> web of trust, i.e. only if there is a chain of trust between Bob's key and
> my key will Bob grant me access to his site, otherwise I will be refused
> access. Presumably, at the same time my browser will check there is a chain
> of trust between my key and Bob's key and if there is no chain of trust I
> will get a warning message, otherwise I will proceed as normal.
>
> The web of trust is not really a web of trust, but a network of identity
> checks, which is similar to Certificate Authorities. Firefox is loaded with
> CA's Mozilla trusts, but I don't know them from Adam, so there is no real
> reason I should trust them. Now, I would prefer to choose my own trust
> authorities, who wouldn't necessarily be everybody who has signed my key.
> For example, I wouldn't like my key to follow a chain of trust starting with
> the black sheep in my family because you can't choose your family
>
> So, does the WOT follow a chain of trust of ALWAYS using everybody who has
> signed my key or can I choose my own trust authorities/anchors?
>
> Firefox's options allow you to import certificates. Can I add my own "web of
> trust authorities/certificates" to Firefox, which would have priority
> over Mozilla's chosen CA's? Please also confirm that I just import the
> certificates from key servers of those I trust.
I use my GPG key also as my X.509 certificate so can participate in
the GPG WOT and also "Web" based WOT. So I can access control my
pages / files based on the identity that is requesting it, and some
public access for anonymous users.
Sadly, the WWW WOT is quite undeveloped at this stage. The biggest
GPG WOT (strong-set) is 40,000 big, it should be possible to develop a
complementary graph on the web (the web was designed to scale very
large graphs) too. Also we should be able to include the tel: URI
scheme to start to include the 5.3 billion mobile users.
Hopefully something we can improve in 2012, I've been looking at the
bitcoin otc WOT, which also combines with GPG, ,and thinking about
scaling it to the whole web : http://bitcoin-otc.com/viewratings.php
>
> Kind Regards
>
> fiftyfour
>
>
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
More information about the Freedombox-discuss
mailing list