On Wed, Mar 25, 2015 at 6:25 PM, Christoph Anton Mitterer
<calestyo(_at_)scientia(_dot_)net> wrote:
On Wed, 2015-03-25 at 22:56 -0500, Phillip Hallam-Baker wrote:
Web of Trust is a fine academic
theory but it is not how OpenPGP is really used in the real world.
Lol?
How else do you use it?
I see people using fingerprints directly mostly. Some download them
from key servers.
By Web of Trust I mean actually following a chain to check a key.
The lesson here that I draw is to look at how people are actually
using OpenPGP in practice and work out ways to apply the same approach
to other similar problems.
Well if your goal is to drop the WoT respectively simply let people
download stuff from a (secured or not) keyserver believing whatever
comes and hoping the best,... then better call it something else
(InsecurePGP?) and leave OpenPGP as is.
No, I think there are quite a few things that we can do today that
change the WoT game. People carry smart phones with near field
communication, barcode, cameras. So signing can be made a lot simpler.
Another very important and useful development is Certificate
transparency which has the effect of making the work factor for
spoofing a key a suddenly go to practically infinity.
Another resource to bring to bear is social networking
And yet another is CA issued. If you want to know that someone is
sending a message from the US gvot or a company that is organized in
hierarchical fashion, a hierarchical PKI makes sense.
I describe a hybrid approach in some detail with a mechanism for
comparing trust models in terms of a 'social work factor' here:
http://tools.ietf.org/html/draft-hallambaker-prismproof-trust-01
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp