[messaging] Affirmations

Mike Hearn mike at plan99.net
Mon Jan 5 11:36:22 PST 2015


I love your enthusiasm, but can you explain how it's functionally different
from regular PKI certificates? If Twitter cared, they could easily issue
certificates that attested to a Twitter handle. Someone else could do the
same thing using OAuth or the "post a magic tweet" method.

My point is, the web of trust is supposed to be (in my understanding) about
people verifying each others identities and signing their keys, and then
doing some graph calculations to give a gradient of trust. Keys *storage* is
centralised but key verification is decentralised.

If you simply say people are going to be identified by email/github/twitter
handle BUT storage of those facts is going to be decentralised, then what
you've got there is almost exactly the regular PKI in which no central key
directories are used but a handful of pre-agreed authorities verify public
keys.

As it happens I quite like the PKI model and wouldn't say no to a github
client certificate. But I don't see how involving PGP would be a big
upgrade. The only difference would seem to be whether you can sign with
your reddit+twitter+github+email address IDs simultaneously .... but
existing mail apps don't support this sort of thing for the same reasons
browsers don't support websites signing with multiple certificates!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150105/7bc8a3f9/attachment.html>


More information about the Messaging mailing list