Why CAs or public keysigning?

greg@turnstep.com greg@turnstep.com
Wed Jun 18 17:06:02 2003

Hash: SHA1

> If the WoT of a particular
> person you are interested in includes 5000 entries/connections/etc. but
> you do not know any of them, then their trustworthiness == 0.  I think
> the WoT is only as strong as its weakest link.  With that in mind, party on.

Your are mixing your analogies. A "weakest link" refers to a chain, not a web. 
A chain is only as strong as its weakest link, but a web is as strong as 
its strongest strand or "link". If I have what I consider a strong link between 
myself and (for example) Werner Koch, then the number of other paths (or links) 
between him and myself are irrelevant. If someone has intentionally tried to corrupt 
the Web of Trust, you can snip that person and all their connections out of the 
web and still have a coherent whole. The power of the WoT lies in the fact that 
it is a web, and not a chain, and thus every node has multiple overlapping 
connections. Remember that the "strength" of the Web of Trust refers to its degree 
of interconnectedness, and not to the number of people inside of it. That is 
why keysignings are important: they strengthen the Web of Trust.

Deciding whom to trust is a personal decision, but at some point you have to 
go beyond meeting people personally and start trusting other people. I've never 
met most people in the WoT, but if 5 people I knew signed someone's key, and 30 
other people I don't know but who have a path back to me have signed it as well, 
I am pretty confident that nothing funny is going on.

- --
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200306181043

Comment: http://www.turnstep.com/pgp.html