August 12, 2005

WoT in Pictures, p2p lending, mailtapping

Rick points at a nice page showing lots of OpenPGP web of trust metrics.

The web of trust in OpenPGP is an informal idea based on signing each other's keys. As it was never really specified what this means, there are two schools of thought, being the one where "I'll sign anyone's key if they give me the fingerprint" and the other more European inspired one that Rick lists as "it normally involves reviewing a proof of their identity." Obviously these two are totally in conflict. Yet, the web of trust seems not to care too much, perhaps because nobody would really rely on the web of trust only to do anything serious.

So an open question is due - how many out there believe in the model of "proving identity then signing" and how many out there subscribe to the more informal "show me your fingerprint and I'll trust your nym?"

What's this got to do with Financial Cryptography? PKI, the white elephant of the Internet security, is getting a shot in the arm from web of trust. In order to protect web browsing, CACert is issuing certificates for you, based on your subscription and your entry into a web of trust. In one sense they have outsourced (strong) identity checking to subscribers, in another they've said that this is a much better way to get certificates to users, which is where security begins, not ends.

More pennies: I've got my Thunderbird and Firefox back, so now I can see the RSS feeds. I came across this from Risks: How to build software for use in a den of thieves. We'd call that Governance and insider threats in the FC world - some nice tips there though.

PaymentNews reports that PayPal CEO Jeff Jordan presented to Etail 2005:

Nearly 10 percent of all U.S. e-commerce is funneled through PayPal, according to Jordan. One out of seven transactions crosses national boundaries. Consumers in more than 40 countries send PayPal, and those in more than 20 countries receive this currency.

"Our goal," he said, "is to be the global standard for online payments."

(More on Paypal.) And more from Scott:

Eliminate the banking middle man -- that's what Zopa's about. Rebecca Jarvis reports for Business 2.0 on what the UK's Richard Duvall is up to with Zopa.

Are you a better lender than a bank is? Richard Duvall, who helped launch Britain's largest online bank, Egg, thinks you are. His new venture, Zopa, is an eBay-like website that lets ordinary citizens borrow money from other regular Joes -- no bank needed.

In mailtapping news from Lynn, a US court of appeals reversed a ruling, and said that ISPs could not copy and read emails. Meanwhile a survey found that small firms were failing to copy and escrow emails as instructed. And we now have the joy of companies competing to datamine the outgoing packets in order to spy on insider's net habits. The sales line? "every demo results in a sacked employee..."

E-mail wiretap case can proceed, court says
Study Finds Small Securities Firms Still Fail To Comply With SEC E-mail Archiving Regulations
When E-Mail Isn't Monitored

In closing, Everquest II faced off with hackers who had found a bug to create currency. We've seen this activity in the DGC world, and it no doubt has hit the Paypal world from time to time; it's what makes payment systems serious.

Posted by iang at August 12, 2005 07:48 AM | TrackBack

Looking at those charts, I'm struck that it seems not terribly different (and correct me here if I'm wrong) than normal social relations. I may have different reasons for "signing someone's key" (saying I know them), and other people might have different metrics for evaluating such certifications.


Posted by: Jamie at August 14, 2005 05:43 PM

I rely on the web of trust completely for anything serious. More than anything else, actually. I just don't assign trust to people who sign keys carelessly.

I am completely confident in the keys that are marked trustrowrthy on my keyring either because they have been signed by myself or by other people whose judgement I trust.

What is an open question is whether or not to export trust signatures. Do I always want to make my judgements about others' trustworthiness public? Personally, I don't. I export my trust signature on someone's key only when I get a reciprocal favor or get paid by other means. Also, I might trust (or distrust) certain people at my own risk, but I don't want to pass that judgement on -- I am not confident enough to do that. This is also a measure to make my public trust signatures more valuable.

Unfortunately, a lot of people seem to be confused by the difference between Key-ID binding signatures and trust signatures and refer to both as "signing the key". The first is a property of a relationship between a key and a name, certifiing the extent to which the signer is confident that the name belongs to the key. The trust signature is a property of the key only and certifies the extent to which the signer trusts the owner of the key (whatever his name) to make correct judgements.

For some reason, trust signatures are not very popular, although I believe that they are far more important from an FC point of view than key-id bindings. To the point that I don't care what the other person's name or nym is -- I'm doing business with the holder of the public key and don't care about his name; only his reputation. In the ePoint system, the nym is the public key fingerprint and the ID serves only informational purposes.

In my opinion, the PGP web of trust is a very powerful infrastructure, of which the full potential is yet to be recognized and appreciated.

Posted by: Daniel A. Nagy at August 15, 2005 12:27 PM

Can an SSO infrastructure be built on the WoT model?

Posted by: Steve at August 16, 2005 10:20 AM

> Can an SSO infrastructure be built on the WoT model?

I don't see why not? In fact I'd say it is essential, in that different SOs need different authentications. But that's to pre-judge the requirements.

Posted by: Iang at August 16, 2005 10:26 AM

> So an open question is due - how many out there believe in the model of "proving identity
> then signing" and how many out there subscribe to the more informal "show me your
> fingerprint and I'll trust your nym?"

What constitutes "proving identity?"

What does "identity" include? Is an email address part of identity? What about a personal name? Or a photograph?

For social interaction, I'd say that official(-looking) ID, absent obvious signs of forgery, is good enough to prove identity, as is a personal introduction from a mutual friend, or personal long-term acquaintance. At what do we have enough social interaction assurance of identity to start trusting it for decisions with higher monetary value?

Now, I don't consider ephemeral transport data such as an address (postal or email, with email increasingly unreliable due to filtering) to be part of the identity I'd be certifying with a signature. Does this reduce the value of a signature?

Note that others differ on whether email addresses are tranport data or part of "identity". For an example, see PGP Corporation's changes to their public key server. PGP no longer even includes their own software release and update signing keys on their server, since those keys do not have working email addresses imbedded in the user name. This has a downside for authenticating their updates...

Posted by: Richard Johnson at August 19, 2005 04:57 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.