[Freedombox-discuss] Santiago Verifying Requests

Fifty Four fiftyfour at waldevin.com
Wed Apr 18 02:37:42 UTC 2012

Hi dkg,
Thanks for the clarification. I just have a few comments below 

> On 04/16/2012 09:15 PM, Fifty Four wrote:
> >  the PGP community continues to use that name. Why can't the PGP
> community change it to something like P2P Identity checks as opposed to
> the CA model of hierarchical identity checks? Better still just say you
> appoint somebody to do identity checks on your behalf
> "Web of trust" is a catchy term.  It's hard to get people drop a catchy
> term, especially when either the term and its alternatives are both a
> little hand-wavy to most users.
I agree "web of trust" is a catchy hand-wavy term. However, it's also a misnomer that creates too much confusion. I just think if PGP is going to go with a hand-wavy term at least pick one that isn't a misnomer.

> e.g. an "Identity/Certificate Agent" which is a concept similar to
> Certificate Authority that most people would probably understand. Just
> let the P2P Identity checks vs hierarchical identity check models
> recede into the background.
> I don't think i share your confidence that people already understand
> certificate authorities.  The majority of people who i've explained CAs
> to have been surprised to learn that they had been (and continue to)
> rely on these powerful and relatively unaccountable groups.
*understand* was a poor choice of words. I should have said that people are familiar and blindly trust CA's because of the entities (banks, governments etc.) that use CAs. So if you explain to somebody that an "Identity Agent" is similar to a Certificate Authority then I think most people wouldn't be interested in knowing anything about the "Web Of Trust". I would add that PGP has additional strengths over CA's such as the ability to have full control over your own identity without your identity being held to ransom by a CA. Secondly, PGP allows multiple signatures on your key while CA only allows one signature - PGP comes with built-in redundancy if one of those signatures proves unreliable, while CA have no such redundancy leaving you without an identity!

I think it's unfortunate so many "web of trust" explanations are a "how to" rather than describing PGP strengths.       

> I do like your term "p2p identity", but i'm wary of the social work it
> will take to get people to start using new terms.  If we want any new
> terms to stick, that kind of coinage work needs to be coupled with
> building out additional infrastructure that uses the new term and makes
> its meaning nice and clear.
FBX is a consumer product and it's a great opportunity to rebrand a great technology like PGP to stop using misnomers and use labels that are similar to "familiar concepts" e.g. Identity Agent vs CA. I am not too bothered what labels are used as long as it's not a misnomer. Twitter rebranded "txt", "post", "comment" "pick your own" to "tweet" and "forward" to "retweet". FBX is a great opportunity to rebrand PGP terms in the FBX UX.
> > the "web of trust" part of PGP because by far it’s the most confusing
> part of PGP. Why promote something so confusing that is not widely
> used?
> Because the confusing thing that *is* widely used is significantly
> worse due to its propensity for centralized control and resistance to
> corrective action in the face of known malfeasance?
I take your point that you need to promote the "web of trust" to highlight the weaknesses of CA. As I said earlier, I think the benefits of PGP needs to be promoted, rather than a "web of trust" how to. What does PGP give you, rather than how do you use PGP


More information about the Freedombox-discuss mailing list