On 9/6/13 7:04 PM, Ted Lemon wrote:
It's not at all clear to me that "serious" trust mechanisms should be
digital at all.
They're not.
Be that as it may, we have an existence proof that
a web of trust is useful—Facebook, G+ and LinkedIn all operate on a
web of trust model, and it works well, and, privacy issues aside,
adds a lot of value.
I'm not quite sure how we got from the question of how to
do crypto better as a means to provide stronger privacy
protections to the value of Facebook, to be honest.
Possibly because of the key signing proposal.
But here's some anecdata. Got a FB friend request from
someone I didn't know, checked him out and we seemed to have
quite a few friends in common, so I accepted. When he did,
in fact, turn out to be a jerk I wrote to some of the
friends-in-common and it turns out that nobody knew who he
was - a few people with lax friending policies had accepted
his friend requests and that formed the basis for a bunch of
the rest of us assuming he'd be okay.
At any rate I think it's pretty clear that the semantics
of pgp signing are not agreed-upon and that's led to a
lack of clarity around individual decisions about key signing.
I find pgp useful for sloppy, casual, but easy-to-use crypto
but I certainly wouldn't want to use it as the basis for
assurances about identity, etc.
Melinda