Robert J. Hansen rjh at
Tue Feb 21 14:29:27 CET 2012

On 2/20/12 7:55 PM, Steve wrote:
> Hm, that was also bothering me with the other mails you wrote on
> this topic earlier. It's already very late here, so bare with me I'm
> taking this from remembrance. You said due to the fact that the world
> is very big and web of trust not used much, it can't serve as a good
> information tool since most likely the signatures will be from people
> I don't know.

I think this is a mischaracterization of my position.  My position is,
"PKI is hard."  We don't have any tools that can scale up to the size of
the world.

> I'm not so sure about that.  Wonder why google called the grouping 
> feature in G+ "circle"? We communicate and behave and live in
> circles.

Circles that are increasingly separate from actual physical interaction.
 There are a lot of people in my circles I've never met before, which
makes the problem of verifying their keys rather difficult.

Social media will not solve the PKI problem.  In many ways it makes it
worse.  Social media is predicated around the idea that you have given
up your privacy and anonymity in exchange for being more connected to
the social flow around you.  Before Facebook, people who used encryption
and other privacy technologies were looked at by the population at large
as being kind of kooks.  Now we're being looked at as if we're about to
step off into the woods with Ted Kaczynski.

The things that we value are increasingly out of step with the things
our society values.  And, you know, that's fine: there are *lots* of
communities with values out of step with those of the larger society.
But we should be cautious of thinking that we're going to wave a little
crypto magic fairy dust and suddenly everyone will come to our side of
the privacy fence: they won't, and it doesn't matter how good our
Kool-Aid tastes.

> Wouldn't that mean that actually the web of trust should work well?

The question is not whether we think it should work well, but rather
whether it *does* work well.  It doesn't.

> I think the web of trust is an awesome idea and again (as with 
> encryption in general) it's up to each and every human to make use
> of those tools.

As long as people have to make a conscious choice to use these tools,
these tools will never become mainstream.

> Isn't the big difference that OpenPGP is a decentralized concept
> while S/MIME requires centralized infrastructure?

Not really.  S/MIME is as capable of decentralized behavior as OpenPGP.

More information about the Gnupg-users mailing list