certificate chain depth
david at gbenet.com
Sat Apr 25 22:31:45 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Robert J. Hansen wrote:
>> Hi, I don't wish to be over-simplistic, but I had thought that the web
>> of trust was a people thing rather than a mathematical model.
> Honestly, it's a little of one and a lot of the other. The questions of
> "whom do I trust and why?" is purely a human factor; the questions of
> "... and given I trust them, what can I deduce to be true?" is a
> mathematical question.
>> What is trust anyway?
> Generally, trust is the ability to break someone's security policy.
> E.g., I've given a friend of mine from college, John Hawley, a trusted
> signature. John can now screw over my local security policy. If I see
> a key which John has signed, I'm going to assume that key is valid. If
> John signs keys that aren't valid, he can break my security policy.
> This is why most uses of the phrase "trusted system" give security geeks
> the heebie-jeebies. A trusted system is, ironically, more dangerous
> than an untrusted system. An untrusted system has no capability to
> break your security policy; a trusted system can. That means trusted
> systems often need to be watched like hawks.
> In a similar vein, many Wall Street brokers were trusted with billions
> of client money -- and they should have been watched closely as a result
> of that trust.
I appreciate secure systems - being rigid are apt to get broken or
people break out of them :) just as equally friendships based on common
interests and concerns dissolve - may be there's no trust in keys at
all. it's a value judgement - that over time, changing conditions may
not reflect the "trust" one had in regard to the person. I'm not likely
to put trust into systems.
I appreciate the security of transmitted data and a requirement it's not
going to leak out the edges or that some one's going to compromise
oneself or others - or (it just struck me) that I may want to compromise
some one (shudder) but then we are still making value judgements about
people and who we trust and why we trust them.
It was philosophical - radical politics - enabling people to protect
their privacy - as a driving principle - where are we now then? a small
group of people that's fairly secure - but the principle is for public
world wide use of pgp to safeguard their privacy - with a fair few
intent on breaking it. It's still a people thing - conflicts of
interest, politics, philosophy the ethics or mores that govern how
people interact. What they share - are we to become closed and only open
if a key is trusted by so many? That in itself is a weakness.
Must be the Med sea and the coffee ............
Wisdom is knowing what to do with what you know. This message and any
attachments are solely for the intended recipient and may contain
confidential or privileged information. If you are not the intended
recipient, any disclosure, copying, use, or distribution of the
information included in this message and any attachments is prohibited.
If you have received this communication in error email
postmaster at gbenet.com. Thank you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Gnupg-users