On 9/6/13 7:04 PM, Ted Lemon wrote: > It's not at all clear to me that "serious" trust mechanisms should be > digital at all. They're not. > Be that as it may, we have an existence proof that > a web of trust is useful—Facebook, G+ and LinkedIn all operate on a > web of trust model, and it works well, and, privacy issues aside, > adds a lot of value. I'm not quite sure how we got from the question of how to do crypto better as a means to provide stronger privacy protections to the value of Facebook, to be honest. Possibly because of the key signing proposal. But here's some anecdata. Got a FB friend request from someone I didn't know, checked him out and we seemed to have quite a few friends in common, so I accepted. When he did, in fact, turn out to be a jerk I wrote to some of the friends-in-common and it turns out that nobody knew who he was - a few people with lax friending policies had accepted his friend requests and that formed the basis for a bunch of the rest of us assuming he'd be okay. At any rate I think it's pretty clear that the semantics of pgp signing are not agreed-upon and that's led to a lack of clarity around individual decisions about key signing. I find pgp useful for sloppy, casual, but easy-to-use crypto but I certainly wouldn't want to use it as the basis for assurances about identity, etc. Melinda