Web of Trust (a revolution)
"Stanisław T. Findeisen"
sf181257 at students.mimuw.edu.pl
Wed Apr 1 11:42:51 UTC 2009
> Difficult at best, who wants to trust a faceless corporation? Not to be
> cynical but you might trust the receptionist but what about the IT dept?
> Are they competent? Money is no guarantee of anything, in fact the
> larger the company the more likely they will let something slip through
> the cracks. Companies all say they are secure and trustworthy, but who
> is hiring these people? Are their background checks? Should there be?
> Probably they outsource that and then you have to see if you can trust
> that company too. The main problem is that so much gets outsourced so
> dept head A doesn't have to worry about it but who is checking that this
> other company is doing it right? Its an endless cycle of paranoia.
Exactly. Trusting "a corporation" boils down to trusting its owners, and
owners are those who hold the shares. In case you don't know how
ownership of a public company work, google for "stock exchange" or so.
:-) And understand that companies can hold the shares of other
companies, too. :-)
Anyway. Show me one positive thing PKI has that OpenPGP Web of Trust is
missing. From this thread it looks to me that few of us are aware of
"trust signature level" notion. See GnuPG manual ("tsign") or here:
It looks to me that using trust signature levels (not just 2 or 3, like
in X.509, but 10+) one can build his own key hierarchy. Here is an
example: http://www.gswot.org/ .
Also Wikipedia (http://en.wikipedia.org/wiki/Web_of_trust) states that
there are sites allowing you to find OpenPGP Web of Trust members near
you (geographically), so that you could meet in person and sign each
other's key. Sure, you might not be sure how honest a particular person
is, or how accurate she is when it comes to key signing. But it *might*
be helpful to know that a key of someone else that you haven't met in
person has been signed by, say, 10 different people that you did meet
before (see http://www.gnupg.org/gph/en/manual.html#AEN385).
So. Summarizing all this I would say that OpenPGP Web of Trust is (much)
more flexible than PKI, and when it comes to implementation, it looks
that with OpenPGP you are the one to decide whom to trust
(http://www.gnupg.org/gph/en/manual.html#AEN385) (which is not the case
with PKI, where a single certificate chain is sufficient for the trust
to be assigned locally).
The revolution strategy will follow in my reply to Todd Zullinger's post
(03/31/2009 01:10 AM).
OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090401/722caaf3/attachment-0001.bin
More information about the users