trust problem

Adrian 'Dagurashibanipal' von Bidder avbidder at fortytwo.ch
Sat Dec 20 15:51:44 CET 2003


On Friday 19 December 2003 23:56, Paul E Condon wrote:

> Has any consideration been given to assigning a numeric value to trust?
> I imagine having a trust value between 0 (no trust) and 1 (absolute trust).
> In a chain of signed keys, the trust of the keys along the chain would be
> the product of the trust values of the keys to the left in the diagram.

Google around, and search a paper by prof. Ueli Maurer (ETH Zürich - where I 
study, incidentally) on this subject.

It's not as easy as you think. Consider


       P1 -----> P2 -------> P4
        |       | ^         ^
        \       v |         |
         ------> P3 --------/

So, with the cycle between P2 and P3, calculating the trust you should have 
for P4 becomes non-trivial - because, clearly, the fact that P2 and P3 have 
cross-signed their keys should matter - simply eliminating the cycle will 
distort the metrics (and which link in the cycle will you remove?)

The other thing: even the simple trust model gpg uses currently is too 
complicated for most people - try explaining it to somebody (in a 
non-technical profession, perhaps) who just wants to use email and doesn't 
care for security. This *does* matter because many people think that 
everybody should be using encryption (after all, email *is* terribly 
insecure).


> To make this useful, there might have to be some sort of public database
> of the average level of trust of the community in the signings of keys
> by individuals. I see nasty social problems with such a database, but
> still, making trust be more numeric might have some advantages.

I think such a db would be completely bogus. Trust is a very personal thing.  
Sure, reputation is closely linked to trust, but I wouldn't say that having a 
high score in this db would tell anything about that person's reputation.

cheers
-- vbi

-- 
featured link: http://fortytwo.ch/gpg/subkeys
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 331 bytes
Desc: signature
Url : /pipermail/attachments/20031220/f3e8c3d6/attachment.bin


More information about the Gnupg-users mailing list