Verification via the web of trust

Andrew Gallagher andrewg at andrewg.com
Tue Mar 22 19:14:45 CET 2016


On 22/03/16 17:11, Peter Lebbing wrote:
> 
> That trust is not transitive is not some quirk of the web of trust: it
> is fundamental. I might trust Carl, and Carl might trust Jenny, but if I
> don't know Jenny, I would not trust her, despite the fact that I trust
> someone who trusts her. Trust is personal and direct, not transitive.

All this is true. But this does not help *me* one iota.

While the usual formulation of the web of trust (or any PKI for that
matter) runs along the lines of "given that I trust this finite list of
people, can I verify this particular signature?", the question most
useful to a user is "given this particular signature, how much
confidence should I invest in it?".

They are not the same question.

Real world example. I wanted to install the latest copy of Apache for
windows. It is signed by one William A Rowe Jr. I do not know William A
Rowe Jr, nor do I know any of the people who have signed his key, nor am
I ever likely to meet them, let alone trust them enough to verify other
keys on my behalf. I'd never even heard of William A Rowe Jr before I
tried to download his software. And yet the PGP signature on that binary
must be worth something other than zero.

In my quest to verify the signature of William A Rowe Jr, I ended up
downloading over a thousand keys. Even importing the entire Debian
keyring and setting them all to marginal trust (I'm already trusting
them to write my OS, so why not?) wasn't enough. I did manage it in the
end by assigning full trust to a judicious selection of people that I
recognised by name and reputation, and a few that I didn't.

Sure, it probably wasn't worth the effort I spent on it. And of course,
I then ended up with a terrifyingly liberal trustdb - but which was
still not liberal enough to verify a significant fraction of posts to
debian-security despite me marginally trusting their entire keyring.

My point is, there are times when you want to be absolutely certain that
a particular key belongs to someone you know and trust. And there are
times when you are looking for whatever assurances you can get that some
random dude on the internet isn't about to pwn your server. I'd contend
that the second use case is far more common than the first.

If you can't ascribe at least *some* level of trust to multiple PGP
signatures in the WOT made by named individuals (even those not
personally known to you), then you certainly shouldn't be relying on
X509 certificates issued by a single one of hundreds of faceless CAs
through some automated process. But every day you do that, because the
alternative is not to use the internet at all.

A


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160322/ac960a4c/attachment.sig>


More information about the Gnupg-users mailing list