Formalizing the Facebook Web of Trust
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Jan 7 02:39:53 CET 2010
On 01/06/2010 04:16 PM, Andre Amorim wrote:
> What are your thoughts about that ?
>
> http://www.cs.rice.edu/~mtd3/comp527/comp527presentation.pdf
Interesting! thanks for pointing it out.
I like the idea of using Facebook as a transport/distribution mechanism.
I'm less confident in their use of Facebook to encourage keysigning.
For example, i'm not even sure i understand the part here where they
talk about "photos of Devin taken by his friends":
from the facebook app on page 7 of the presentation:
>> Make sure you fully trust Devin's public key. You can do this by
>> verifying the photos of Devin taken by his friends and/or verifying the
>> public key fingerprint with an out of band communication method (in
>> person, over the phone, etc)
Also, the authors of the presentation seem to have gotten the semantics
of keysigning confused with ownertrust. Standard OpenPGP key signatures
certify *nothing* about the issuer's belief in the subject's capacity as
a keysigner, but their facebook app suggests otherwise (also on page 7):
>> By signing Devin's public key, you vouch for the validity of that key
>> and your trust that Devin will exercise good judgement when signing
>> other public keys
These concepts (the difference between key/uid validity and ownertrust)
are already pretty confusing; it would be a shame if facebook users were
introduced to the OpenPGP concepts by this sort of a mixed message.
That said, OpenPGP does have many of the properties that make social
networking appealing. it'd be a Good Thing to use existing social
networks to bring people into the Web of Trust online, if done carefully.
--dkg
PS their pidgin work is unclear from the paper, so i don't really know
how to evaluate it. if all they did was fetch keys from facebook,
that's a little weird (since they could already fetch keys from the hkp
network). i'm also not convinced that OpenPGP messages are the best
technological choice (without *significant* extra thought and UI work)
for instant messaging.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100106/845b54f9/attachment.pgp>
More information about the Gnupg-users
mailing list