Managing the WoT with GPG
Neal H. Walfield
neal at walfield.org
Mon Jun 26 11:53:16 CEST 2017
At Mon, 26 Jun 2017 11:27:30 +0200,
martin f krafft wrote:
> > Martin, I think --no-auto-check-trustdb and a cron job will
> > already make it much more bearable, with the current state of
> > things. That's what I'd suggest.
>
> I've been doing that for a long time already, and yes, it mitigates
> the issue a little bit. I still think that the interface doesn't
> exactly invite people to invest time into the WoT, which directly
> translates into lesser quality.
I disagree that this is the bottleneck. Two very strong arguments
against the WoT, IMO are:
1. Key signing is too hard to do right.
2. Key signing exposes the social graph.
1 means that people primarily interested in protecting their privacy
don't bother.
2 means that organizations like the Organized Crime and Corruption
Reporting Project (OCCRP) can't use the WoT, because it places their
reporters and sources in danger.
We could perhaps fix 1 by doing more red teaming (i.e., fake attacks
so that people see the actual utility of checking keys), but I'm not
sure that's the best way forward.
:) Neal
More information about the Gnupg-users
mailing list