Web of Trust in Practical Usage

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu May 2 05:49:53 CEST 2013


Peter Lebbing's thoughtful consideration of the issues in this thread
was spot-on, imho.  Thanks, Peter!

On 04/29/2013 12:29 AM, Quinn Wood wrote:
> My question in simpler terms could probably be summed up "How can one find
> the most popular- most signed- key (matching some query such as name or
> email of course) while successfully avoiding falsely inflated signature
> counts (such as keys which only have more signatures than another due to
> their age or due to actual malicious acts like mass signing.)

One person's "falsely-inflated signature counts" is another person's
"well-established participant in the keysigning culture", i'm afraid.

One of the beauties of OpenPGP's certification model is that no one can
require anyone to consider any particular certification (or set of
certifications) to be acceptable or valid.  And this is a good thing,
because if you tell me that the "most popular" key is just the one
signed by the most other keys, and the key you're looking for belongs to
a user named "Alice <alice at example.org>", then all i have to do is scan
the keyservers for such a key, see that it has certifications from N
keys on it, and then create a new key with User ID "Alice
<alice at example.org>", plus N+1 new keys, and have them all certify the
new key+userid.

when the cost of a new "sockpuppet" identity is nil, voting systems
(like "most popular key") tend toward being gameable.

what specifically are you trying to do in the bigger picture?  maybe
folks here can give you some suggestions if we can see what you're
trying to accomplish in the abstract?

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130501/21e3b59a/attachment.sig>


More information about the Gnupg-users mailing list