At 2:35 PM -0700 6/13/03, Pat Farrell wrote: >At 11:56 AM 6/13/2003 -0400, John Kelsey wrote: >>At 10:27 AM 6/11/03 -0700, bear wrote: >>>That is the theory. In practice, as long as the PGP "web of trust" >> >>The thing that strikes me is that the PGP web of trust idea is appropriate >>for very close-knit communities, where reputations matter and people >>mostly know one another. A key signed by Carl Ellison or Jon Callas >>actually means something to me, because I know those people. But >>transitive trust is just always a slippery and unsatisfactory sort of thing-- > >I may have missed it, but I thought that the web-o-trust model of PGP has >generally been dismissed by the crypto community >precisely because trust is not transitive. > >Similarly, the tree structured, hierarchical trust model has failed, >we currently have a one level, not very trusted model with Verisign >or Thawte or yourself at the top. > >I know from discussions with some of the SPKI folks that encouraging >self defined trust trees was one of the goals. > >Of course, if the size of the tree is small enough, you can just >use shared secrets.
The HighFire project at Cryptorights <http://www.cryptorights.org/research/highfire/> is planning on building a "web of trust" rooted in the NGOs who will be using the system. Each NGO will have a signing key. A NGO will sign the keys of the people working for it. In this manner, we have way of saying, "The John Jones who works for Amnesty International". A NGO may decide to sign another NGO's signing key. Now we have a way to say to someone in Amnesty, "Send a message to Steve Smith in Médecins Sans Frontières." The plan is to show the trust relationship in the UI as a path of keys. I would appreciate your comments. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "A Jobless Recovery is | Periwinkle -- Consulting (408)356-8506 | like a Breadless Sand- | 16345 Englewood Ave. [EMAIL PROTECTED] | wich." -- Steve Schear | Los Gatos, CA 95032, USA --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]