On Sep 6, 2013, at 11:12 PM, Melinda Shore <melinda.shore@xxxxxxxxx> wrote: > I'm not quite sure how we got from the question of how to > do crypto better as a means to provide stronger privacy > protections to the value of Facebook, to be honest. > Possibly because of the key signing proposal. It's not an accident. IMHO PGP is friending done right, in the sense that only you and your friend need know you friended each other. There's no central service provider who knows who's friends with whom, for all values of whom. > But here's some anecdata. Got a FB friend request from > someone I didn't know, checked him out and we seemed to have > quite a few friends in common, so I accepted. When he did, > in fact, turn out to be a jerk I wrote to some of the > friends-in-common and it turns out that nobody knew who he > was - a few people with lax friending policies had accepted > his friend requests and that formed the basis for a bunch of > the rest of us assuming he'd be okay. Don't blame your friends. I never friend anyone I don't know personally. Our different styles illustrate the problem rather nicely... :) > At any rate I think it's pretty clear that the semantics > of pgp signing are not agreed-upon and that's led to a > lack of clarity around individual decisions about key signing. > I find pgp useful for sloppy, casual, but easy-to-use crypto > but I certainly wouldn't want to use it as the basis for > assurances about identity, etc. Yes. But it is still _very_ useful.