A Probabilistic Trust Model for GnuPG (2006)

Robert J. Hansen rjh at sixdemonbag.org
Tue Dec 11 13:46:07 CET 2012


On 12/11/2012 2:39 AM, remo.hertig at bluewin.ch wrote:
> Why was this functionality never implemented?

Forgive the snarky response, but: because no one, yourself included, has
bothered to implement it.

Looking over this paper, it does not seem to pass my sniff test for
academic works.  For instance, there's no thesis statement anywhere on
the first page: they say "In this paper, we will first give a short
overview of the PGP trust model ... to point out some of its inherent
weaknesses and deficiencies."  Okay, fine: but if they can't give a
one-sentence description of what problem they found, it makes me think
they didn't find much of a problem.

This view of mine is mostly confirmed by page two.  The first "major
deficiency" of the WoT they present -- and remember, standard writing
style is to start off with the big things, so we can reasonably infer
this is the major takeaway -- is "the limited levels of trust in PGP
[are] clearly insufficient to reflect possible varying opinions about an
introducer's trustworthiness.  In real life, it may be that among two
marginally trustworthy introducers one of them is twice more trustworthy
than the other.  Unfortunately, the PGP trust model does not support
such a distinction."

I've been using PGP since 1991.  I've used it professionally, I've set
up and deployed sites that use hundreds of certificates.  And never, not
once, have I ever lamented the lack of fine-grained trust decisions in
the WoT.  More to the point, I don't think fine-grained trust is
possible.  You can't say, "Bob is 53% trustworthy and Alice is 55%
trustworthy."  Trust is a human concept, and as such it finds its
manifestation in qualitative rather than quantitative terms.  "Marginal
trust" is a qualitative term: "53% trust" is a quantitative term.

So, their biggest objection to the WoT is, IMO, a dog that won't hunt.
I also agree with Nicholas, who said that he didn't find their
"counter-intuitive" example to be at all counter-intuitive.  I'll go one
step further: anyone who expects to analyze the behavior of a formal
system by means of intuition is living in sin.  Describing the behavior
of a formal system as "counter-intuitive" is sort of like the old joke
about a philosopher who justified a really bad decision on the grounds
that it "felt like the logical thing to do."

So, yeah.  I see this paper as solving a nonexistent problem.  I don't
think it's something the GnuPG developers should tackle: we have other
more important things to spend our limited developer resources on.






More information about the Gnupg-users mailing list