Managing the WoT with GPG
Neal H. Walfield
neal at walfield.org
Mon Jun 26 11:53:16 CEST 2017
At Mon, 26 Jun 2017 11:27:30 +0200,
martin f krafft wrote:
> > Martin, I think --no-auto-check-trustdb and a cron job will
> > already make it much more bearable, with the current state of
> > things. That's what I'd suggest.
> I've been doing that for a long time already, and yes, it mitigates
> the issue a little bit. I still think that the interface doesn't
> exactly invite people to invest time into the WoT, which directly
> translates into lesser quality.
I disagree that this is the bottleneck. Two very strong arguments
against the WoT, IMO are:
1. Key signing is too hard to do right.
2. Key signing exposes the social graph.
1 means that people primarily interested in protecting their privacy
2 means that organizations like the Organized Crime and Corruption
Reporting Project (OCCRP) can't use the WoT, because it places their
reporters and sources in danger.
We could perhaps fix 1 by doing more red teaming (i.e., fake attacks
so that people see the actual utility of checking keys), but I'm not
sure that's the best way forward.
More information about the Gnupg-users