[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Webs of Trust, Conspiracies, and Six Degrees of Cypherpunks
At 12:47 AM 9/11/98 -0700, Vladimir Z. Nuri wrote:
>wow, a new site called sixdegrees.com, in which everyone
>registers and reveals who their friends are. the privacy
>implications are really incredible. yet supposedly
>close to 1 million people joined, with 900,000 of them
>connected!!
We've got a somewhat related Cypherpunks problem,
which is PGP key signatures. The traditional software
likes chains of less than 4 deep, yet the last time
I checked the key servers, there were chains as deep as
12-14, and most people seemed to be at least 6 signatures
away from Phil Zimmermann or Derek Atkins, who were the
centers of the list at the time. (On the other hand,
I suppose a lot of signatures between Joe Cypherpunk,
Ivan Cypherpunk, T0T0M0nger, etc. could improve the averages :-)
The PGP Web of Trust key management tools have the
difficulty that they don't make it easy to decide which
signatures on your key to export when giving someone
a key to sign or distributing a key to a key server.
You can manage this somewhat by creating different
name/key pairs for different uses, with your
Phil Zimmermann, Respected Entrepreneur
key signed by venture capitalists and your
Phil Zimmermann, Anti-Nuclear Activist
signed by your fellow activists, and trying to make
sure that people who attend meetings at the bank building
where you have your office digitally sign in with their
Respectable Software Developer or Free Speech Activist personnas,
and not with their
Buddhist Temple Assault Rifle Shooting Club
personnas that seem to overlap with the Respected Entrepreneur web....
I'm not sure how solvable a problem this is -
there are some parts that are easier to solve, like
- storing secret keyrings entirely in encrypted form
This could be done using a disk encryptor instead,
or could be done using an additional passphrase
to unlock the keyring before determining whether
the specific key you want it on it; both are annoying.
The threat is the attack currently being used against T0T0,
whose secret keyring had a key for a personna that signed a
supposedly incriminating message. In his case, it was probably
just ranting or humor, but there are some PGP users who really
_are_ trying to overthrow their governments.
and friendlier GUI tools (e.g. the current PGPkeys lets you
add and delete signatures from a key in the keyring,
but doesn't let you decide which ones to export except
by deleting them (or by exporting to a separate keyring
and using the GUI on that keyring, which is awkward.)
Thanks!
Bill
Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639