Formalizing the Facebook Web of Trust

Doug Barton dougb at dougbarton.us
Mon Jan 25 07:39:57 CET 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

[ I realize this is an old thread, but AFAICT no one mentioned this and
I think it's useful enough to add to the mix. ]

On 01/06/10 17:39, Daniel Kahn Gillmor wrote:
| PS their pidgin work is unclear from the paper, so i don't really know
| how to evaluate it.  if all they did was fetch keys from facebook,
| that's a little weird (since they could already fetch keys from the hkp
| network).  i'm also not convinced that OpenPGP messages are the best
| technological choice (without *significant* extra thought and UI work)
| for instant messaging.

I agree that PGP is not likely the best choice for IM. It's also
important to define your goals. If your goals are merely to obscure your
messages from casual observers a lot of IM services use SSL now. Several
EFnet IRC servers are using it (http://www.efnet.org/?module=servers,
although they tend to include it as an afterthought), AIM/ICQ has the
option available, and of course there is Jabber/XMPP which has had it
available for a long time.

If your goal is something more robust that can encrypt the entire
channel, even from the server operators, then the Trillian client has
had this feature for at least 7 years, although last I checked it was
only for Windows.

If you want something that is cross-platform, able to encrypt the
channel, AND able to do some cursory identity validation as well, "Off
the record" messaging is the answer. http://www.cypherpunks.ca/otr/ It's
available as a plugin for pidgin, and I'm given to understand is
included in other clients by default as well (such as adium for mac).
I've used it for years and have been very pleased with it.

I'll restrain myself from commenting in detail on the other issues
raised in this thread except to say that I agree with those who said
that using crypto properly takes more dedication than the average user
is willing (and no offense intended, able) to apply. As technologists I
think it's incumbent on US to figure out a middle ground that allows
people to use crypto in a way that is "good enough" for many purposes
even if it is not what we would consider "robust" or "secure" by our
definition(s). Of course then that opens up the can of worms that Robert
H. mentioned in regards to "adding crypto to things can make them worse,
not better ..."


hth,

Doug

- -- 

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

	Computers are useless. They can only give you answers.
			-- Pablo Picasso

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iEYEAREDAAYFAktdPL0ACgkQyIakK9Wy8Ps4xgCfXfrY9H3fbRO297Ws+zUtUnvD
rdsAoN9P78+v6NRaQ6c9tFByeQnv8IpT
=HvKU
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list