At 10:27 AM 6/11/03 -0700, bear wrote:
...
That is the theory.  In practice, as long as the PGP "web of trust"
depends on connections made through signers not personally known to
the person depending on the security, it hardly works.  There is
very little verification done in the web of trust, not even for
consistency.  There's no way for it to propagate negative information,
(such as Bob's mention of having observed Alice verifying keys to
people not known to her) nor, where nyms are easy to come by, any
way for negative information to attach to a given person.

The thing that strikes me is that the PGP web of trust idea is appropriate for very close-knit communities, where reputations matter and people mostly know one another. A key signed by Carl Ellison or Jon Callas actually means something to me, because I know those people. But transitive trust is just always a slippery and unsatisfactory sort of thing--the fact that Jon Callas trusts Fred Smith trusts John Jones to sign a key doesn' t really tell me whether or not I should trust him--by the time we're about three hops away, you'd have to be God to know enough to have your signature mean anything.


I don't particularly like the commercial certs, but the thousand
bucks or so ought to serve as a "bond", in that if people untrust
the keys, there is real value that will be lost.  That makes it
require some expenditure of resources to grab a new nym.  However,
even when provoked - even when root certs have been **SOLD** -
people still don't untrust them, because the news of the compromise
doesn't propagate around triggering revokes on individual systems.

A bigger issue is that there's usually no practical way to deal with revoking a root key in a PKI, even if there are technical mechanisms to do so. "And then you go out of business" is almost as unsatisfactory a protocol step as "And then you go to jail."


Bear

--John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to