Looking at those charts, I'm struck that it seems not terribly different (and correct me here if I'm wrong) than normal social relations. I may have different reasons for "signing someone's key" (saying I know them), and other people might have different metrics for evaluating such certifications.
And?
Posted by Jamie at August 14, 2005 05:43 PMI rely on the web of trust completely for anything serious. More than anything else, actually. I just don't assign trust to people who sign keys carelessly.
I am completely confident in the keys that are marked trustrowrthy on my keyring either because they have been signed by myself or by other people whose judgement I trust.
What is an open question is whether or not to export trust signatures. Do I always want to make my judgements about others' trustworthiness public? Personally, I don't. I export my trust signature on someone's key only when I get a reciprocal favor or get paid by other means. Also, I might trust (or distrust) certain people at my own risk, but I don't want to pass that judgement on -- I am not confident enough to do that. This is also a measure to make my public trust signatures more valuable.
Unfortunately, a lot of people seem to be confused by the difference between Key-ID binding signatures and trust signatures and refer to both as "signing the key". The first is a property of a relationship between a key and a name, certifiing the extent to which the signer is confident that the name belongs to the key. The trust signature is a property of the key only and certifies the extent to which the signer trusts the owner of the key (whatever his name) to make correct judgements.
For some reason, trust signatures are not very popular, although I believe that they are far more important from an FC point of view than key-id bindings. To the point that I don't care what the other person's name or nym is -- I'm doing business with the holder of the public key and don't care about his name; only his reputation. In the ePoint system, the nym is the public key fingerprint and the ID serves only informational purposes.
In my opinion, the PGP web of trust is a very powerful infrastructure, of which the full potential is yet to be recognized and appreciated.
Posted by Daniel A. Nagy at August 15, 2005 12:27 PMCan an SSO infrastructure be built on the WoT model?
Posted by Steve at August 16, 2005 10:20 AM> Can an SSO infrastructure be built on the WoT model?
I don't see why not? In fact I'd say it is essential, in that different SOs need different authentications. But that's to pre-judge the requirements.
Posted by Iang at August 16, 2005 10:26 AM> So an open question is due - how many out there believe in the model of "proving identity
> then signing" and how many out there subscribe to the more informal "show me your
> fingerprint and I'll trust your nym?"
What constitutes "proving identity?"
What does "identity" include? Is an email address part of identity? What about a personal name? Or a photograph?
For social interaction, I'd say that official(-looking) ID, absent obvious signs of forgery, is good enough to prove identity, as is a personal introduction from a mutual friend, or personal long-term acquaintance. At what do we have enough social interaction assurance of identity to start trusting it for decisions with higher monetary value?
Now, I don't consider ephemeral transport data such as an address (postal or email, with email increasingly unreliable due to filtering) to be part of the identity I'd be certifying with a signature. Does this reduce the value of a signature?
Note that others differ on whether email addresses are tranport data or part of "identity". For an example, see PGP Corporation's changes to their public key server. PGP no longer even includes their own software release and update signing keys on their server, since those keys do not have working email addresses imbedded in the user name. This has a downside for authenticating their updates...
Posted by Richard Johnson at August 19, 2005 04:57 PM