[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: True Names and Webs of Trust

To: Bryce Wilcox <[email protected]>
Subject: Re: True Names and Webs of Trust
From: "Patrick J. LoPresti" <[email protected]>
Date: Tue, 22 Aug 1995 19:17:28 -0400
Cc: [email protected], [email protected]
In-Reply-To: <[email protected]>
References: <[email protected]><[email protected]>
Reply-To: [email protected]
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----

 >> Zimmermann clearly understood all of this, but I don't think he
 >> documented it properly.  In my opinion, everyone should always
 >> think in terms of man-in-the-middle attacks when signing a public
 >> key.  Mandating "True Names" is just an overconservative approach
 >> suitable for people who don't fully understand the issue.

 wilcoxb> My point exactly.  My post "Stop Fixating on True Names" was
 wilcoxb> an attempt to clarify things to said people.

Then you didn't clarify very well; to wit:

 wilcoxb> Okay now does anyone want to do any of the above two things
 wilcoxb> to me?  If not then *don't* *worry* about whether my public
 wilcoxb> key is signed by anyone or not.  It makes zero difference to
 wilcoxb> you until such a time as one of the above motivations
 wilcoxb> acquires.

 wilcoxb> Zimmermann et al. were/are naive to emphasize the Web of
 wilcoxb> Trust as a means of introducing strangers.

The first paragraph clarifies nothing because it is dead wrong; the
second because it is arrogant, offensive, and dead wrong.

 wilcoxb> From this perspective, the Web of Trust is the soul of
 wilcoxb> public-key cryptography.  From the other perspective ("Never
 wilcoxb> ever sign a key which you got off of a bulletin board!"
 wilcoxb> warns "pgpdoc1.txt") it is a cute anachronism.

The Web of Trust is a means of thwarting active attacks;
nothing more, nothing less.  "Perspective" has nothing to do with it.

Given that active attacks are hard to explain and understand fully,
the PGP docs are correct to advocate a conservative approach to
signing keys.  Novices *should* be taught to take the Web of Trust
seriously.  (Yes, I am retracting my own statements quoted above; the
more I think about it, the more I think it is very hard to teach a
novice the details of active attacks.)

Moreover, I suspect that active attacks are more likely today than
when those docs were written, which makes their advice precisely the
opposite of an "anachronism".

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAwUBMDpleHr7ES8bepftAQE0KgQAoAg5QeXwbtZzKMliNH63f3Ewvxz1g8gR
vlTPwZ8YRWANxFFbhN03DMo6HQI78f/8VnbvOB8osZz/aLQgmyuw6Q201vfHbbtu
gKpfLBPLu/Cl2JEk6FK58IYyvrTPZ7XKfp80LoRIby/pSU2uL7K2+7vfjGWGvjvY
V9s9mJUCGN8=
=OBD5
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: True Names and Webs of Trust
  - From: Bryce Wilcox <[email protected]>

References:
- Re: True Names and Webs of Trust
  - From: "Patrick J. LoPresti" <[email protected]>
- Re: True Names and Webs of Trust
  - From: Bryce Wilcox <[email protected]>

Prev by Date: URGENT ANOTHER SCIENTOLOGY RAID: FACTNET
Next by Date: Re: Third World Man
Prev by thread: Re: True Names and Webs of Trust
Next by thread: Re: True Names and Webs of Trust
Index(es):
- Date
- Thread