On 9/6/2013 11:04 PM, Ted Lemon wrote:
On Sep 6, 2013, at 10:35 PM, Melinda Shore <melinda.shore@xxxxxxxxx> wrote:
I actually don't think that pgp is likely to be particularly
useful as a "serious" trust mechanism, mostly because of
issues like this.
It's not at all clear to me that "serious" trust mechanisms should be digital at all. Be that as it may, we have an existence proof that a web of trust is useful�Facebook, G+ and LinkedIn all operate on a web of trust model, and it works well, and, privacy issues aside, adds a lot of value. IETF uses an informal web of trust, and it works well. Most open source projects use informal webs of trust, and they work well. PGP signing for software distribution works well.
I think there is a "webs of trust" tendency to believe the negative or
the worst isn't going to happen, well, to you, until its does or at
least rears its head. There are many forms. Its a different set of
mentalities with victims. Including the worth of dealing with it when
its local vs wide spread.
The question is, can we cover the protection of them all,
communications wise, with protocols, guidelines and tools?
What these mechanisms are not is a web of trust that you could use to authenticate a real estate transaction. You shouldn't accept them as signatures on legal contracts. You shouldn't use them to transfer large sums of money to strangers. But they are definitely useful.
I think the best IETF can do is to make it available for
consideration, and of course, use good engineering, and ethical,
common sense.
We have conflictive goals among many in the market place, which is now
global, and its even within market and technology leaders. The IETF
deals with communications and that should include with the end users
as well. Who are the IETF customers?
--
HLS