[Freedombox-discuss] Santiago Verifying Requests

Fifty Four fiftyfour at waldevin.com
Tue Apr 17 01:15:40 UTC 2012

Hi dkg,
Thank you for sharing your experience of using keys. It's so insightful.

> I'm not sure the latter concept is particularly meaningful even on its
> own.  The "web of trust" is probably a misnomer -- it leads many folks
> astray.  In the PGP world, this term describes a network of assertions
> about identity, which is overlaid with some (only very occasionally
> public) indications of willingness to rely on these identity
> assertions.
I wanted to use PGP to protect my privacy. I read what I could find about PGP and I spent most of my time trying to understand the "web of trust" concept. In time, I realized that the 'web of trust" is a misnomer too, yet the PGP community continues to use that name. Why can't the PGP community change it to something like P2P Identity checks as opposed to the CA model of hierarchical identity checks? Better still just say you appoint somebody to do identity checks on your behalf e.g. an "Identity/Certificate Agent" which is a concept similar to Certificate Authority that most people would probably understand. Just let the P2P Identity checks vs hierarchical identity check models recede into the background.

> The "willingness to rely on" is the only thing close to any common
> layman concept of "trust".  These are privately-held, for the most
> part.
> (i can count the number of public trust-assertions i know of in OpenPGP
> on one hand)
> So what is "within my web of trust" ?  Well, there's the handful of
> people who i'm willing to rely on to make claims of identity; people

> This group is (significantly) smaller than the group of people whose
> identity (and public key) i believe i know.
This suggests that at the most you trust 3 people to do identity checks on your behalf - fair enough. Do you believe this to be the norm? I am only asking to gauge the usage of the "web of trust" part of PGP because by far it’s the most confusing part of PGP. Why promote something so confusing that is not widely used? 

> Let's say Alice and Charlie work together closely in a tight-knit
> collective at night, and Alice and Bob are co-workers in a business
> together during the day.  Alice finds Bob boring and careless;  She
> thinks of Charlie as perceptive and bright.  The OpenPGP web of trust
> contains none of these qualitative judgments. What's more, i think it
> *shouldn't* contain these sorts of judgments; they make it harder to
> make statements of identity (because you'd be concerned about these
> other qualitative statements, which are much more open to change and
> reinterpretation), and they make it easier for a would-be big brother
> to mechanically figure out exactly who is a trusted and respected
> figure within certain subsets of the social graph.
Good point. However, when you have somebody do identity checks on your behalf there is still sort of a trust relationship. When big brother looks at your key can they tell the difference between as your "identity agents on your behalf vs those people you have just signed their keys?

Thanks for your insight again.

More information about the Freedombox-discuss mailing list