Web of Trust (a revolution)

"Stanisław T. Findeisen" sf181257 at students.mimuw.edu.pl
Wed Apr 1 11:42:51 UTC 2009 

m wrote:
> Difficult at best, who wants to trust a faceless corporation? Not to be 
> cynical but you might trust the receptionist but what about the IT dept? 
> Are they competent? Money is no guarantee of anything, in fact the 
> larger the company the more likely they will let something slip through 
> the cracks. Companies all say they are secure and trustworthy, but who 
> is hiring these people? Are their background checks? Should there be? 
> Probably they outsource that and then you have to see if you can trust 
> that company too. The main problem is that so much gets outsourced so 
> dept head A doesn't have to worry about it but who is checking that this 
> other company is doing it right? Its an endless cycle of paranoia.

Exactly. Trusting "a corporation" boils down to trusting its owners, and 
owners are those who hold the shares. In case you don't know how 
ownership of a public company work, google for "stock exchange" or so. 
:-) And understand that companies can hold the shares of other 
companies, too. :-)

Anyway. Show me one positive thing PKI has that OpenPGP Web of Trust is 
missing. From this thread it looks to me that few of us are aware of 
"trust signature level" notion. See GnuPG manual ("tsign") or here: 
http://www.google.com/search?hl=pl&q=gpg+tsign+site%3Awww.gnupg.org&btnG=Szukaj&lr= 
.

It looks to me that using trust signature levels (not just 2 or 3, like 
in X.509, but 10+) one can build his own key hierarchy. Here is an 
example: http://www.gswot.org/ .

Also Wikipedia (http://en.wikipedia.org/wiki/Web_of_trust) states that 
there are sites allowing you to find OpenPGP Web of Trust members near 
you (geographically), so that you could meet in person and sign each 
other's key. Sure, you might not be sure how honest a particular person 
is, or how accurate she is when it comes to key signing. But it *might* 
be helpful to know that a key of someone else that you haven't met in 
person has been signed by, say, 10 different people that you did meet 
before (see http://www.gnupg.org/gph/en/manual.html#AEN385).

So. Summarizing all this I would say that OpenPGP Web of Trust is (much) 
more flexible than PKI, and when it comes to implementation, it looks 
that with OpenPGP you are the one to decide whom to trust 
(http://www.gnupg.org/gph/en/manual.html#AEN385) (which is not the case 
with PKI, where a single certificate chain is sufficient for the trust 
to be assigned locally).

The revolution strategy will follow in my reply to Todd Zullinger's post 
(03/31/2009 01:10 AM).

STF

=======================================================================
http://eisenbits.homelinux.net/~stf/
OpenPGP: 9D25 3D89 75F1 DF1D F434  25D7 E87F A1B9 B80F 8062
=======================================================================

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090401/722caaf3/attachment-0001.bin

More information about the users mailing list