[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Web O Trust, active attacks against same, etc. AGAIN. (was: Usability of Cryptography (was Re: More FUD from First Virtual) )




-----BEGIN PGP SIGNED MESSAGE-----

 An entity calling itself "James A. Donald" <[email protected]> 
allegedly wrote:
>
> Web of trust is a mess because it attempts to link keys to 
> physical people, which in general cannot be done.
                   *******************************


Do you wish to substantiate this rather brazen assertion?  
I am very sure that PGP public key 0xCC56B2E9 belongs to my
housemate Sebastian Kuzminsky <[email protected]>.  Is
there some reason why I should doubt this belief?


Furthermore my mother <[email protected]>
<0x5E93210D> is very sure that PGP public key 0x617c6db9
belongs to me, and she is very sure that I am a trustworthy
introducer of keys.  Is there some reason why she should
abstain from associating Seb's key <0xCC56B2E9> in her mind
with my housemate?


> If we stick to a lesser goal -- constancy of identity -- 
> this is not so hard.  In general it is impossible to prove that 
> Bryce is the "real" Bryce, but it is trivial to prove that 
> Bryce is the same Bryce who has a certain Web page, and the
> same Bryce who posted a certain article in archives.


But if I am the victim of a successful active attack then you
are *not* certain that I am the same Bryce.  The Bryce who
posted a certain article in the archives might be completely
different from (and antagonistic toward!) the Bryce who later
contacts you in e-mail using the same public key.  Do you see
why?


> We should blow off this attempt to do the impossible.


It is far from impossible.  In fact, it is easy if we pay
attention and cooperate.  


Note that I am in complete agreement with you about the (non-)
value of "True" identities.  In the above example I do not 
expect you to care which Bryce is the "real" Bryce, but I *do* 
expect you to care that the two Bryces are different.


In short, the Web O Trust is important to maintain constancy
of identity.  It is not trivial, but neither is it impossible,
to do so.


Regards,

Bryce, a unique and autonomous entity


signatures follow

      "To strive, to seek, to find and not to yield."  -Tennyson
            <a href="http://www.c2.org/~bryce/Niche.html">

                          [email protected]                </a>


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01

iQCVAwUBMM855vWZSllhfG25AQG8JQP+Ikc9sfUdEQHhLTM1/cTlimFBKB/ppifD
N58Eh6e6UboOeoatcLdHgEEkrewhYkVD+AcIoV5CUHLt22Q88vjH2Fq9jJ+tV3CO
65r9kyVeIg49qQZHx0FrSTytoTrY3Zg9RdJoh4zT/Vy36dCcwgRcfAzkPdMBfQqU
W9mViQbS5w0=
=KyrB
-----END PGP SIGNATURE-----