Reflux on distrusting trust.

[reddragdiva]

I think I've encapsulated what strikes me as most nonsensical about the 'web of trust' part of a Public Key Infrastructure system. Check this fucked-up shit: GnuPG Keysigning Party HOWTO.

I haven't required that level of ID verification from people I've shacked up with.

These people really think this will build a 'web of trust' involving someone other than dedicated and fanatical drones for the Cause those obsessed with "great opportunities to discuss the political and social issues surrounding strong cryptography, individual liberties, individual sovereignty, and even implementing encryption technologies or perhaps future work on free encryption software." That this will spread their web beyond people who are already true believers.

It's geek social fallacy #4 as a Taylorised procedure. It tries to make social trust into the binary absolute of mathematical, cryptographic trust, so looks like it was created by people with no damn clue what social interaction is or is for. Social interaction is all about the grey areas.

Comments

[rbarclay.livejournal.com]

I've organized such an event myself.

[reddragdiva]

So LART me about my fundamental misconception(s) ;-)

[rbarclay.livejournal.com]

Your misconception seems to be that you regard everyone who uses crypto in the first place must be a dreamy geek who has no connection with reality at all.
But I have to disagree with that.
It's nice to have a web of trust, as long as one if aware of the limitations inherent in the scheme and underlying technology. PKI (nor crypto generally) will not make World Peace come in half a year, it won't even get Dubya thrown over.

[reddragdiva]

OK, I'm getting binary about it myself. But I find the entire 'web of trust' concept deeply flawed for the reasons stated.

[rbarclay.livejournal.com]

You shouldn't forget that there's much money involved (PGP, verislime and countless others), so there's a lot of buzzwords and other marketing shit around the topic.
In my little corner of the "web of trust", for example, there's people I trust. Completely. To the extent that they actually have the root-password for my server, and if it would change I'd trust crypto far enough to send them the update via email. But would I trust a chain of signatures 4 hops removed? Hell, no. It might be a nice little add-on clue, though (a recent example was the announcement of the Debian server compromise).

[reddragdiva]

Mmm. Between the fanatics and the marketers, the concept didn't really have a hope.

The fanatics will keep it going should it ever achieve anything like usability for the non-geek. Even though "Given a choice between dancing pigs and security, users will pick dancing pigs every time." (Ed Felten)

[reddragdiva]

The reason I'm getting binary about it is that it can only mathematically work if one makes social trust into the product of a deterministic procedure, when that's missing the point entirely. And I'm not talking about the extreme form of 'Web of Trust' - I mean even people a second hop away. I have no reason whatsoever to place social trust by mathematical procedure, unless it would rest on LARTability of my immediate connection to them.

[kraant.livejournal.com]

My web of trust is based on whether I know, and they know that I know, where someone lives.

If I know where someone lives I will trust them. At least to some extent.

...

;)

[hellsop.livejournal.com]

Honestly, I think you're very close to having honed in on the problem, but I feel that there's a critical element that might possibly be phrased backwards: What they have no damn clue about though is what "trust" is, and that's what they're attempting to quantify and isolate. All the documentation and so forth and 37 signatures on a key doesn't tell anyone whether the keyholder is a thief or not. And a lot of the key-signing kerfluffle exists solely to convince people (to both themselves and to others) that somehow there's a higher cost to being a thief if someone's got 37 signatures on his GPG key, when it really doesn't matter at all.

[reddragdiva]

And the keenness on physical presence of someone you've never seen before the keysigning party and may never see again. Fanatical devotion at the expense of a point.

[hellsop.livejournal.com]

I'm sure that the logic runs that no one could possibly lie in their physical presence....

[blarglefiend.livejournal.com]

The "logic", such as it is, is that it's really easy to fake stuff online. It's... still easy, but slightly less trivial, to fake stuff in the real world. You'd have to go to the trouble of getting fake ID.

And as I understood the whole thing, the idea was that you don't sign keys for someone you've never met before. You only sign them for people you can verify as being who they say they are -- that is, people you've met before and know reasonably well.

That said, it's all far too much hassle for me and I'm not sure I see much point. I use GPG when I'm sending possibly-sensitive data and I know the recipient, or when correspinding with rbarclay because he has my public key and it's all automatic on his end.

[wechsler.livejournal.com]

In PGP, IIRC, signing someone's key as belonging to them is not the same as stating that you trust them to sign anyone else's.

If someone you've never seen before presents you with 3 pieces of ID and a signed affidavit by Nelson Mandela, you can confirm that you believe that key to belong to them, but don't trust them an inch to sign anyone else's key.

[steer.livejournal.com]

Hmm... I can see that knowing "three of my friends will vouch for X" or "five friends of my friends will vouch for X" is a useful way of knowing whether you can or cannot trust that someone is who they say they are. But I think if you need that level of trust you should re-engineer your social life not your PGP key.

[mjg59.livejournal.com]

For something like Debian, there's a desire to have a web of trust - every package uploaded has to be identified as coming from someone that Debian trusts, and since we trust everyone involved not to upload a package that does rm -rf / on install it's not too much of a stretch to expect them to engage in the same level of verification of somebody's identity as was done for them originally (the fact that you'd have to be at least somewhere on the autistic spectrum to want to be involved in Debian anyway probably makes this more reasonable...). But the idea isn't inherently to absolutely prove anything about the person - the idea is to make an attack involving uploading packages more awkward than just cracking the damn server (a-ha ha ha), which seems to work. Someone could turn up and present false ID and a false name and get into that web of trust, but they could also turn up and present false ID and get physical access to the machine. If that level of paranoia is involved, there's no real way you can win, so why bother worrying?

[http://users.livejournal.com/_nicolai_/]

Hmm. Some things to consider:

I haven't required that level of ID verification from people I've shacked up with.
You're easy.

Flip insults aside, consider how the former LISA PGP key signings worked: they had specified criteria for them to sign your key, so that if you had a key signed by the LISA signing key you knew that a computer system operated by some very paranoid bastards (Greg Rose et al) had been used to sign the key after the owner had presented a passport or equivalent ID to show they were the person named.

Some signing keys have implicit levels of verification of the person concerned.

As also noted, signatures can be varying degrees of trust as an introducer. Signing a key to say it belongs to someone is also all about a key and a person, not about what else they do in life. I'll happily sign (asserging key==person) the key of a total flake who's an old friend of mine. I won't lend him my credit card. If I get your key from your very own sticky paws and I recognise you (a test snog ought to do it ;) ) then I can state the key's yours with very high confidence. I might not trust you at all to introduce anyone else, though.

The whole web of trust is also about producing a continuous function by averaging many binary values (or many very finitely discrete values - trust/notrust, or trust levels of 0/1/2/3/4 only).

[owdbetts.livejournal.com]

I know this is an old post, but I'm still slowly catching up with LJ... :-)

I think you misunderstand how PGP trust works.

The object of the game is to decide whether the key belongs to who it purports to belong to. In the traditional PKI world, someone like Verisign asserts this. You can verify that Verisign really has made this assertion, but you just have to take on blind trust that if Verisign says the key belongs to me, it must be true. If I happened to buy my certificate from Verisign, and you happen to think that Verisign can't be trusted, then we're kind of screwed.

With PGP, I can ask any number of people to do Verisign's job for me; to assert that I really am who I say I am.

When you receive my key, you still have to decide whether you actually trust any of the people who signed it to confirm my identity (obviously you shouldn't unless you know them, at least by reputation). You tell PGP who you trust as truthful (and competent) to confirm people's identity (this is the 'trust' value you're asked for when you get a new key) and then whenever you receive a new key, PGP automatically checks whether anyone you trust has signed it.

Of course, the problem is that trust _isn't_ transitive. The only way you can trust that my key belongs to me is if it is directly signed by someone you trust, and it's quite probable that it won't be.

Normally, of couse, I'd get people I know to sign my key, but it's quite probable that you simply don't know (or at least know and trust) anyone I know. That's where key signing parties come in. I get as many people as possible to sign my key (even people I don't know) in the hope of increasing the chances that someone you trust will have signed it.

Obviously, if these people are at all consciencious, they're not going to assert that I am who I say they are unless they've checked my ID (since they don't know me). And obviously, you're not going to trust them unless you're confident they're conscientious.

Ideally, of course, what I want to do is get my key signed by supernodes. eg, if you were to sign my PGP key, then immediately I have a high chance that any London goth I give my key to will find a signature by someone they know and trust (always assuming that most people trust you :)

I don't necessarily have to meet you for this to happen. I could, for instance get Nicolai to sign my key next time I see him. I could then send you a copy of my key and ask you if you'd be prepared to sign it. Assuming that you have a copy of Nicolai's key, you could verify that he did indeed sign it and then, assuming you are confident that Nicolai is both trustworthy and competent, you would be confident that the key did indeed belong to me. As a favour to me, you might then in turn be prepared to sign it to assert that I am who I say I am, but that's not something to be done likely—you would essentially be staking your reputation on the fact that Nicolai hadn't screwed up...

The whole thing is a pain. But it's the price you pay for not just blindly trusting the organisations that they tell you to trust (ie Verisign, etc). Everyone has to make their own decisions who to trust.

Hope this makes some kind of sense...

-roy