[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Senator, your public key please?



At 8:38 PM 5/18/96, [email protected] wrote:

...(my points elided)...

>All of these are products of misconceptions between using the
>WoT to certify identities, versus using it to certify how much
>you trust a person to certify someone else's identify, versus
>using it to certify arbitrary other qualities about a person.

Bryce, we've differed several times before about the web of trust,
especially "man-in-the-middle" issues. This looks to be the same sort of
issue.

I personally don't see key-signings as mainly useful for verifying the
"true name" of someone whose key I sign. (I don't check birth certificates,
passports, driver's licenses, etc.)

Rather, I view _my_ key signings as forms of vouching, or endorsement. Not
of all views, naturally, but as a statement that the person whose key I am
signing is someone I know and "trust" (in the sense that the key belongs to
the person I "know." Thus, I know Eric Hughes, even though he may actually
be Fritz Kacynski, drop-out math student.


>
>For example, there is no reason why the hypothetical racist "Tom
>Metzger" would sign no black people's keys.  A key signature
>(PGP style) is just an assertion about the identity of someone.
>Haven't racists engraved markings on people's clothes,
>buildings, land, bodies and other belongings in order to
>identify the owners?  So why not do the same for keys.

Sure, he could do it. I'm saying that there's also a significant chance he
has no black friends or no blacks he deals with on a regular enough basis
to even be _asked_ to "vouch" for them, much less _agree_ to sign their
keys.

(This is the way it really does work in the real world, at least for many
of us. People who ask me to sign their keys from afar will get no response
from me. I don't even care if they fax me their birth certificates, etc.
Only people I have met or interacted with directly, or who seem to be known
by enough of my friends, get their keys signed.)

Now I can certainly see other folks signing keys on a different basis: upon
presentation of a valid passport, comparison of footprint with that on
birth certificate, etc. Such "credentialling agencies" will be valuable
players (to some) in the ecosystem of key-signers.

I'm just saying that I'm certainly not in the business of checking
credentials for free, and hence only sign keys for people I know fairly
well, or who know my own friends fairly well.

>This is illustrative of how much confusion reigns about keys,
>certs, nyms, signatures and cetera right now.
>
>
>I hope that TCMay is pointing out how _most_ people lack a
>proper understanding of the differences, rather than reflecting
>his own lack of understanding.

Bryce, I respect your views on this and MITM issues, but the fact that we
view things differently (and that Phil Z. views things differently from
you, and perhaps from me) should not always be ascribed by you as
"reflecting lack of understanding."

>Phil Zimmermann was confused about this, I think, when he wrote
>"Trust is not transitive.".  Some kinds of trust _are_
>transitive (with a coefficient, of course).  Hm.  I wonder if
>there are kinds of trust whose transitivity coefficient is 1?

Well, I wrote up my thoughts on how work on "belief networks" is less
confusing that the term "web of trust."

I believe different agents will use these belief networks in different
ways. Some will be focused on the issue of True Names and will calculate
beliefs on the basis of how much they think the key-signers are being
diligent enough in checking identities. Others will use belief networks to
convey trust that one is not a government agent (a practical example being
the use of PGP and webs of trust in the jungles of Burma, where I am quite
sure the "keyrings" did not deliberately include government agents,
regardless of how well they "proved" their identity!

There is no single ontological interpretation of belief networks.

--Tim May

Boycott "Big Brother Inside" software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Licensed Ontologist         | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."