Web of Trust itself is the problem

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jan 7 16:45:04 CET 2010


On 01/07/2010 04:36 AM, makrober wrote:
> *Most individuals will rarely, if ever, be motivated to communicate
> in secrecy with someone they don't already have a trusted
> relationship with*.

I beg to differ.  anyone who has ever conducted online business has a
strong incentive for communications secrecy with a remote party with
whom they do not yet have a trusted relationship.

At the very least, the transfer of payment credential information is
something most people would prefer was only seen by the other party in
the transaction.

The fact that most online transactions like this happen through the
world wide web these days, and not e-mail, is perhaps a reason that the
WoT does not have wider adoption, since the WoT is not used for the www
(yet -- some of us are working on that).

Online transactions are only one of many examples, but probably the one
that people are most familiar with.  The WoT also provides a method to
handle situations like key loss or revocation, and subsequent new keys
without forcing the keyholder to meet up in-person (or otherwise secured
out-of-band) with every one of their contacts.

Why is this all relevant?  There are good reasons why you might be
interested in knowing that someone specific signed something public , of
course (e.g. software signatures, advice on mailing lists or other fora,
etc).  But for non-public communications: you *must* know who the remote
endpoint is in order to have truly secret communications.  Without that
knowledge, you are communicating with an unknown party, so who are you
keeping things secret from?

"secret" communications with an unknown remote party over a
trivially-compromised communications medium are anything but secret.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100107/b406815f/attachment.pgp>


More information about the Gnupg-users mailing list