Web of trust

Marian Štepka stepka@klifton.sk
Thu Jun 6 17:24:01 2002


Howzit;

> Hi,
>
> I've read a lot about the web of trust, and about how signatures must be
> given with extreme caution and so on. However, I find that it is very
> difficult, if not impossible, to build a sizable web of trust that is at
> the same time useful and safe. I've had to sign myself several keys because
> I didn't manage to find any possible route, and I've been using the
> resource of signing locally, in order not to pollute the public arena with
> unverified signatures.

>From my point of view it is not important to build really *big* web of trust. 
Usualy people communicate in the small comunity f.g. for bussines or what, 
and they must meet personaly first to know who is who. Then they can go back 
away. If somebody new come to company on one side f.g. somebody already known 
for other side can sign his key and people on the other side can trust him 
because somebody already known signed his key. Uffff...

> My question is: is there a better way to do this? Are there chances that
> webs of trust will increase in the future? I just have the feeling that
> cryptography is sort of falling out of use, and I don't see much of a
> possibility that the web of trust will be ever thick enough.

I think that "model" of web of trust depends on situation where it is used. It 
will not grow to "universe scale" where everybody knows everybody.

> As well, I've been thinking whether a software solution could improve
> things. Something like sending an e-mail to the owner of a key with the
> request for a task that a computer can't do, and if the request is
> validated, then the key would acquire a given signature. Something like a
> low-level security Certification Agent. What do you think about this?

I think that "human" must consider if "sign or not sign" this model is not 
safe.

> BTW, sorry if this is off-topic, but I don't know of anywhere else where to
> discuss these issues.

Does not look off-topic.