On Sun, May 30, 2004 at 12:36:53PM -0700, bear wrote: > The bigger problem is that webs of trust don't work. > They're a fine idea, but the fact is that nobody keeps > track of the individual trust relationships or who signed > a key; few people even bother to find out whether there's > a path of signers that leads from them to another person, > or whether the path has some reasonably small distance.
PGP keys are used extensively in the Debian community; new developers are only accepted if their PGP key has been signed by another Debian developer, so that their always is a trust path from one developer to any other. Some important things, like the upload of new packages or submitting votes, will only be accepted by the automated services if everything is properly signed. There is a strong incentive in this community to have a signed PGP key; if you didn't have one you couldn't do anything. In other areas there just is no incentive for having such a thing... like email; it works even if you don't sign it. > I have not yet seen an example of "reputation" favoring > one person over another in a web of trust model; it looks > like people can't be bothered to keep track of the trust > relationships or reputations within the web. I think that's because the tools are lacking. GnuPG can determine trust paths, but you have to manually assign trust levels to certain keys and update the trustdb (which takes an awfully long time). If it would just work a bit faster and determine and show trust paths out of the box, I think PGP's web of trust model would be used a lot more. -- Met vriendelijke groet / with kind regards, Guus Sliepen <[EMAIL PROTECTED]>
Description: Digital signature