[messaging] User key lookup and the Web PKI analogy

[elijah]

On 08/19/2014 02:36 PM, Daniel Roesler wrote:
> I agree that emulating Web PKI might not fit this situation, but
> that's because I'm not sure I fully understand the need for any PKI
> for human-to-human messaging. I don't need to be able to authenticate
> everyone out there, just the people I want to communicate with.

A great many interesting projects take this approach. There is a lot to
be said for dispensing with the messiness of infrastructure.

However, there are many usage scenarios where someone may need to
communicate securely with high number of people with whom they have
never communicated before. Journalists, for example. I have also seen
this with some activists. I myself find that I use OpenPGP mostly for
people who I do not know. For people I know, we just use OTR.

In my experience, most people who prefer a decentralized
infrastructure-less approach can be fairly adamant about it (our
gracious convener Trevor is an exception). It is no accident that
libertarians and anarchists tend to map their ideological preferences
onto their technical preferences. I personally prefer technical
approaches that happen to not map at all to my political ideology.

I think there is certainly a place for both decentralized and
infrastructure approaches, and if we can actually get an infrastructure
approach that works reliably then people will start to see the usability
benefit. An improvement to how people handle random key material is no
small thing, and could make the difference between encryption technology
that is adopted and used correctly and encryption technology that is
either not adopted or not used correctly.

-elijah