On Friday, September 06, 2013 19:12:58 Melinda Shore wrote: > On 9/6/13 7:04 PM, Ted Lemon wrote: > > It's not at all clear to me that "serious" trust mechanisms should be > > digital at all. > > They're not. > > > Be that as it may, we have an existence proof that > > a web of trust is useful—Facebook, G+ and LinkedIn all operate on a > > web of trust model, and it works well, and, privacy issues aside, > > adds a lot of value. > > I'm not quite sure how we got from the question of how to > do crypto better as a means to provide stronger privacy > protections to the value of Facebook, to be honest. > Possibly because of the key signing proposal. > > But here's some anecdata. Got a FB friend request from > someone I didn't know, checked him out and we seemed to have > quite a few friends in common, so I accepted. When he did, > in fact, turn out to be a jerk I wrote to some of the > friends-in-common and it turns out that nobody knew who he > was - a few people with lax friending policies had accepted > his friend requests and that formed the basis for a bunch of > the rest of us assuming he'd be okay. > > At any rate I think it's pretty clear that the semantics > of pgp signing are not agreed-upon and that's led to a > lack of clarity around individual decisions about key signing. > I find pgp useful for sloppy, casual, but easy-to-use crypto > but I certainly wouldn't want to use it as the basis for > assurances about identity, etc. Because you trust PKI CAs so much more? They have different problems, but are inherently less reliable than web of trust GPG signing. It doesn't scale well, but when done in a defined context for defined purposes it works quite well. With external CAs you never know what you get. Scott K