WoT question - policy

[Stefan Claas]

On Fri, 16 Nov 2018 11:31:35 -0500, Daniel Kahn Gillmor wrote:
> On Fri 2018-11-16 17:00:33 +0100, Stefan Claas wrote:
> > I understand your points, but like to point out my view of sig0
> > and why i think it is not good and why i wrote a policy that way.  
> 
> I think you're talking about this:
> 
> >     With the sig0 approach i have the following problem: I could
> > create a couple of fake keybase accounts, for example, give each
> > other a sig0 and then what is this good for if i follow the advise
> > from the blog and what trust should a third party gain from this
> > many sig0 on such a key?  
> 
> I confess i do not understand what this has to do with sig0.  Surely
> the same "attack" can be mounted via sig2?  I also don't know what
> "advise from the blog" means, and i don't think the word "trust" in
> the final question is well-defined -- what third party gains what
> kind of trust?. Sorry to be so dense!

O.k. before i try to explain what i mean i like to ask why do we have,
or need a Web of Trust and what is it good for?

You are a well respected community member, i assume. For me
it would be enough if your key bears no sigs. If i would like to
communicate with you i only need to be sure that the fingerprint
matches, when downloading your key from your web site. Same
imho applies if i would be an activist and would like to communicate
with EFF for example. I download the key from their site and encrypt
to them.

Now, since we have PGP and GnuPG with the Web of Trust and
its sig levels you make your points on your blog. I understand,
as non-native Englisch speaker that i or someone else should
think about to consider to use sig level 0.

With my humble approach i avoid sig level 0 and also try with
sig2 level and sig3 to do my best to avoid any surprises due
to the fact that i like to use a postcard / letter method for
verification, so that a third party or the requester know
there is some documentation (the postcard) available.

If we had certified CA's globally, like Governikus, and they
would do cross certifications, PGP or GnuPG would not need
all those sig levels, every user would be properly registered
if he / she likes to do so and there would be no need
for an extensive explanation in the manual nor a discussion
about sig levels, policies and what not. Everybody is still
free, in case of not trusting Governmental institutions and
use PGP / GnuPG the classic way.

> In response to the situation i *think* you're describing, i'd say:
> 
>    If you rely on mere quantity of any type of certification from
>    parties you cannot identify and have no clear reason to trust, then
>    you are open to a trivial Sybil attack. 
>    [https://en.wikipedia.org/wiki/Sybil_attack]

Yes.

> >> Keep it simple.  (or, don't bother)  
> >
> > Agreed, use X.509... ;-)  
> 
> eh?  I have never said (and would never say) that X.509 is "simple".
> it's grossly overcomplicated for what it's typically used for, even
> worse than OpenPGP.

This was more a joke, but i must admit (i own a classII and classIII
X.509 certificate) and in combination with Thunderbird there is
no learning phase and it's quite simple to use and you have the
assurance that the name and email belongs to that person you
are communicating with, without consulting a manual etc.

> >  (disagree, see my point when it comes to Protection of Minors)  
> 
> I think you're referring to this part of
> https://stefan_claas.keybase.pub/policy.txt:
> 
> > ***Protection of minors***
> > 
> > While there is no law, as far as i know, which says you are only
> > allowed to use strong encryption tools if you are an adult i like
> > to point out one thing which parents or young teenagers, brand new
> > to PGP / GnuPG and the Web of Trust, must understand.
> > 
> > The word trust does *not* mean: Hey, this is a cool girl or guy, i
> > can trust, because he/she uses PGP/GnuPG and has signatures on
> > his/her public key. It simply means that it publicity states that
> > "someone" has somehow attested that the public key belongs to that
> > "person".
> > 
> > Therefore i strongly advise parents and young teenagers to backup
> > the secret key, *including the passphrase* written on a piece of
> > paper. Deposit them in a safe place. Backup your communications and
> > encrypt to yourself. Should something happen law enforcement is
> > then able to read the messages.  
> 
> The middle paragraph is exactly the point i was making in my earlier
> mail -- definitely agree. :)

:-) 
 
> But i fail to see what any of this has to do with minors specifically
> (surely the good guidance applies after reaching the age of majority
> as well), or how law enforcement happened to sneak in at the end
> there.  I suspect you're imagining some specific scenario that i
> don't know about, but i don't know what it is or how it relates to
> OpenPGP certification.

While minors are usually smarter (or they think their are) than their
parents my thought is/ was to create a policy which shows clearly
that i try to do a proper verification, give a sig level to do my best.
In case something could happen i can show a postcard.

I mean why do we have the possibility for a WoT verification
with it's sig levels? If i issue a sig0 that could mean i don't like to
tell because if have something to hide to the public WoT public or
i cheat. Sure if people use other policies or none they could do
the same for level 2 and 3.... :-(

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181116/c3c592bc/attachment.sig>