Why CAs or public keysigning?

CL Gilbert Lamont_Gilbert@RigidSoftware.com
Wed Jun 18 17:58:03 2003

Hash: SHA1

greg@turnstep.com wrote:
|>If the WoT of a particular
|>person you are interested in includes 5000 entries/connections/etc. but
|>you do not know any of them, then their trustworthiness == 0.  I think
|>the WoT is only as strong as its weakest link.  With that in mind,
party on.
| Your are mixing your analogies. A "weakest link" refers to a chain,
not a web.
| A chain is only as strong as its weakest link, but a web is as strong as
| its strongest strand or "link". If I have what I consider a strong
link between
| myself and (for example) Werner Koch, then the number of other paths
(or links)
| between him and myself are irrelevant. If someone has intentionally
tried to corrupt
| the Web of Trust, you can snip that person and all their connections
out of the
| web and still have a coherent whole. The power of the WoT lies in the
fact that
| it is a web, and not a chain, and thus every node has multiple
| connections. Remember that the "strength" of the Web of Trust refers
to its degree
| of interconnectedness, and not to the number of people inside of it.
That is
| why keysignings are important: they strengthen the Web of Trust.

I am not mixing analogies.  The connection you have to your target is
only as strong as its weakest link.  Maybe you have several paths, but
each one is no stronger that its weakest link.

I do not see a web as being any stronger.  Your level of trust will
reflect your strongest path.  If you have 15 weaker paths they will
become irrelevant.  So additional paths may increase the chance you find
a good path (which I assume is what you mean by strength?), but finding
more paths does not increase the trust of your connection, unless you
happen to find a stronger one.

I guess you have to pick a model that fits your requirements.

| Deciding whom to trust is a personal decision, but at some point you
have to
| go beyond meeting people personally and start trusting other people.
I've never
| met most people in the WoT, but if 5 people I knew signed someone's
key, and 30
| other people I don't know but who have a path back to me have signed
it as well,
| I am pretty confident that nothing funny is going on.

This is the hardest and most important part.  Whom to trust?

I will sign peoples keys that I personally know.  I will not sign
peoples keys I do not know, picture ID or not.  For me that is the only way.

| --
| Greg Sabino Mullane greg@turnstep.com
| PGP Key: 0x14964AC8 200306181043

Gnupg-users mailing list

- --
Thank you,

CL Gilbert
Free Java interface to Freechess.org
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16

GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD  19AE 55B2 4CD7 80D2 0A2D
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org