-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Robert J. Hansen wrote: >> Hi, I don't wish to be over-simplistic, but I had thought that the web >> of trust was a people thing rather than a mathematical model. > > Honestly, it's a little of one and a lot of the other. The questions of > "whom do I trust and why?" is purely a human factor; the questions of > "... and given I trust them, what can I deduce to be true?" is a > mathematical question. > >> What is trust anyway? > > Generally, trust is the ability to break someone's security policy. > > E.g., I've given a friend of mine from college, John Hawley, a trusted > signature. John can now screw over my local security policy. If I see > a key which John has signed, I'm going to assume that key is valid. If > John signs keys that aren't valid, he can break my security policy. > > This is why most uses of the phrase "trusted system" give security geeks > the heebie-jeebies. A trusted system is, ironically, more dangerous > than an untrusted system. An untrusted system has no capability to > break your security policy; a trusted system can. That means trusted > systems often need to be watched like hawks. > > In a similar vein, many Wall Street brokers were trusted with billions > of client money -- and they should have been watched closely as a result > of that trust. > I appreciate secure systems - being rigid are apt to get broken or people break out of them :) just as equally friendships based on common interests and concerns dissolve - may be there's no trust in keys at all. it's a value judgement - that over time, changing conditions may not reflect the "trust" one had in regard to the person. I'm not likely to put trust into systems. I appreciate the security of transmitted data and a requirement it's not going to leak out the edges or that some one's going to compromise oneself or others - or (it just struck me) that I may want to compromise some one (shudder) but then we are still making value judgements about people and who we trust and why we trust them. It was philosophical - radical politics - enabling people to protect their privacy - as a driving principle - where are we now then? a small group of people that's fairly secure - but the principle is for public world wide use of pgp to safeguard their privacy - with a fair few intent on breaking it. It's still a people thing - conflicts of interest, politics, philosophy the ethics or mores that govern how people interact. What they share - are we to become closed and only open if a key is trusted by so many? That in itself is a weakness. Must be the Med sea and the coffee ............ Happy Days David - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email [email protected]. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknzcywACgkQYvuE3Ov+SsDvLwCgiAPXIx4jJ1qzvjEBm+NVQKtj 3yUAoNWbV6B6GAkK9NKDvVnwRBiJSSn9 =t+1X -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
