[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Announce: Web of Trust Ring
-----BEGIN PGP SIGNED MESSAGE-----
First: after mailing myself the file in 16k chunks... the ring is up, and
intact. The only difference from what the original was supposed to be is
that both of my keys are now assigned a trust of unknown instead of
undefined. *shrug*
From: Bryce Wilcox <[email protected]>
>A very interesting project! Can you give us some data like how many is the
>maximum number of hops necessary to connect two people on the WoT? (I am
>aware that one wouldn't want to trust such a connection, and that PGP
>doesn't actually allow you to do so for hops > 2...)
My original message details the brute-force approach I took, and the
imperfections that it intails. If everybody who signed a key recieved a
signature back from the same person, the ring I generated really would be
"The" WoT. (I don't mean to center on "my ring" versus local WoTs that
people have, but I centered around Warlord, Zimmermann, and Jeff S., and
seeing as how those happen to be keys that come with PGP, that's where I'd
imagine most people would start looking.) Unfortunately, there are a lot
of nobodies included just because they signed someone elses key. For the
same reason, someone who was signed by a well-known key, but didn't sign
back, and didn't sign anybody elses key who was included, didn't make it
to the ring. Imperfections aside, the ring is 4.5 meg smaller than the
unimi keyring, which makes it Pretty Good[tm]. (ha ha)
I forgot to mention it before, but this keyring is most accurately
described as a keyring full of some of the people who are more relevant to
the Web of Trust than lots of the people who aren't in the keyring.
PGP lets you define how many levels of trust you want. Due to the way
in which the ring was constructed, I'd guess that the longest chain could
not be longer than 6-8 keys.
>(P.S. I guess "12" based on the number of passes necessary. That seems
>like a really high number to me...)
No kidding. I ran the program with high priority most of the time, but
I was doing on my home 386... Hence the 4-6 hour runtimes per pass.
>Are any obvious pseudonyms in? (I would guess not.)
YEEEEEEESSSSSSS, there are.
(Hint: check for @whitehouse.gov)
>I wonder what sorts of statistical analyses could be done on this WoT?
It's still full of _nobodies_ who only got in because they signed a known
key of someone they never met and mailed it to a keyserver. Unfortunately,
I don't have the technical abilities to check for mutual signatures, or
only include keys that are signed by someone already in the WoT.
That's _my_ expert statistical analysis...
>Is it fairly evenly spread out or are the noticeably larger "clumps" of
>mutual signatures? How many keys *are* there in this (subset of the) WoT?
There's a couple people that have half a zillion sigs. Many people have
signed someone else's key but have noone else's sig on their own.
>Here's a question: for two randomly selected members of your WoT, how many
>signatures would a Man In The Middle have to fake in order to isolate
>the one member from the other?
If we talk about the WoT instead of the WoN (web of nobodies) then I would
guess faking 2-3 specific (attacker-chosen) people would cut off a good
share of the keys, 4-5 for many more, and about 500 (ok, maybe only 15-25)
for some of the well connected people.
For jargon's sake we can call those the Dial-up, the ISDN and the T3 people
respectively.
>Thanks for this, Don.
:)
- -Don the Dialup
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQB1AwUBME95P8La+QKZS485AQHmHQMAs0UXaSan5PWDfppPU1WCNuz7eiXgpxeS
Y+2vHc1ZofT+Mq99Y2+aMgZGPasowQ/zdLIf4mNLZR1QNEf7eUf9wCLXY2fH5REw
t4uwpvRlz9TkkaUbwSmW+kBXept8H7WE
=8kPL
-----END PGP SIGNATURE-----