Formalizing the Facebook Web of Trust

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jan 7 02:39:53 CET 2010


On 01/06/2010 04:16 PM, Andre Amorim wrote:

> What are your thoughts about that ?
> 
> http://www.cs.rice.edu/~mtd3/comp527/comp527presentation.pdf

Interesting!  thanks for pointing it out.

I like the idea of using Facebook as a transport/distribution mechanism.
 I'm less confident in their use of Facebook to encourage keysigning.

For example, i'm not even sure i understand the part here where they
talk about "photos of Devin taken by his friends":

 from the facebook app on page 7 of the presentation:
>> Make sure you fully trust Devin's public key.  You can do this by
>> verifying the photos of Devin taken by his friends and/or verifying the
>> public key fingerprint with an out of band communication method (in
>> person, over the phone, etc)


Also, the authors of the presentation seem to have gotten the semantics
of keysigning confused with ownertrust.  Standard OpenPGP key signatures
certify *nothing* about the issuer's belief in the subject's capacity as
a keysigner, but their facebook app suggests otherwise (also on page 7):

>> By signing Devin's public key, you vouch for the validity of that key
>> and your trust that Devin will exercise good judgement when signing
>> other public keys

These concepts (the difference between key/uid validity and ownertrust)
are already pretty confusing; it would be a shame if facebook users were
introduced to the OpenPGP concepts by this sort of a mixed message.

That said, OpenPGP does have many of the properties that make social
networking appealing.  it'd be a Good Thing to use existing social
networks to bring people into the Web of Trust online, if done carefully.

	--dkg

PS their pidgin work is unclear from the paper, so i don't really know
how to evaluate it.  if all they did was fetch keys from facebook,
that's a little weird (since they could already fetch keys from the hkp
network).  i'm also not convinced that OpenPGP messages are the best
technological choice (without *significant* extra thought and UI work)
for instant messaging.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100106/845b54f9/attachment.pgp>


More information about the Gnupg-users mailing list