valodim at mugenguild.com
Wed Jan 7 05:44:09 PST 2015
> My point is, the web of trust is supposed to be
I consider the Web of Trust as it is now a failed concept for a general
audience, for a couple of reasons (wall of text incoming, I apologize)
* the Web of Trust is essentially a decentralized PKI where every user
is also a CA, and which requires users to cherry-pick which CAs they
choose to trust and to what degree. I believe this complexity to be
way too much to ever hope for widespread adoption.
* those who use pgp tend to have strong opinions about it, especially in
regard to secret keys and circumstances under which a certificate may
* reasoning about the web of trust requires so much theoretical
background that the comfort zone most users live in is roughly the
point where nobody tells them they are using it wrong anymore. this
becomes very problematic when this point is achieved through dogma
rather than reason, "thou shalt certify only after personally checking
the fingerprint letter by letter"
* this leads to intolerance towards mistakes, wrong assumptions or even
differing opinions about secret key usage and the circumstances
certifications can be issued. "if you use it that way, you might just
not use it at all" leads to people not using it at all
* the worst part is - those people with rigid opinions are sort of
right. Alice's confidentiality properties in communications with Bob
might depend on a certificate issued by John, who is implicitly
burdened by this implication for every certificate he issues. A user
who is not very diligent about his certifications lowers the average
trustability of certifications, which is considered harmful behavior
and quite naturally so.
* one problem that has not even really surfaced yet is that for the web
of trust to work, you are required to publish your social graph,
including who and when you met, and how much you trust them.
* certifications are made with the master key, which is also the part of
the keyring which needs to be handled with the most care. convenience
of certification is a direct tradeoff with keeping the master key in a
safe place. this unfortunately also makes certification "on the go"
with a mobile device a no-go for many users.
* the strong set is 55k keys.
I am not saying the WoT doesn't have its place in the world (it works
for debian). in the end, if anyone who is not involved with security or
at least computers by trade asks me how they can encrypt their email
right now - I have no good answer.
So, why do I think affirmations are a worthwhile approach?:
* perhaps most importantly, I believe the mechanism is understandable.
For a user who is familiar with twitter, the rough idea "the owner of
this keyring controls that twitter account, here's the tweet which
proves it" is at least somewhat understandable, the only non-trival
puzzle piece being "there's this number which makes sure this is
* the decision of whether a key is genuine or not can be made ad hoc.
you don't need to sign every person you ever meet because half a
decade from now you might want to send them an email. if you want to
write a mail to somebody, you can search for a key and the software
provides you with possible reasons (though not proof! hence,
"affirmations") for why this key looks like a genuine candidate.
* the owner of a keyring is directly responsible for the trustability of
their keyring, almost fire-and-forget right after creation and not in
a persistent effort by having other people certify it.
* it drops the dependency on real life identities. I want to write a
mail to some developer I only know from github, I can write it to the
person who controls the/a keyring which associates itself to this
account. if I don't actually know this person, his real name or even
id will have little actual meaning to me, from my perspective the
person I want to talk to is the owner of that github account - whoever
* seamless compatibility. if your pgp software doesn't support
affirmation packets, no bother. if it does, you can use the
information they provide as a basis for trust decisions, but of course
you can also still certify people the old fashioned way.
Now obviously, an affirmation can never be as trustworthy as personal
verification. I would argue though that it is better than TOFU in this
regard, and kinda close to what CAs can offer, striking a good balance
> I love your enthusiasm, but can you explain how it's functionally
> different from regular PKI certificates? If Twitter cared, they
> could easily issue certificates that attested to a Twitter
They could, but they don't. What's more, would a certificate handed out
by twitter which attests that some account belongs to you really have
more meaning than a tweet saying the same thing?
> If you simply say people are going to be identified by
> email/github/twitter handle BUT storage of those facts is going to
> be decentralised, then what you've got there is almost exactly the
> regular PKI in which no central key directories are used but a
> handful of pre-agreed authorities verify public keys.
This is true, except the authorities only have to be "pre-agreed" in the
sense that they need to be supported by the pgp client software.
More information about the Messaging