On Sep 6, 2013, at 11:12 PM, Melinda Shore
<melinda(_dot_)shore(_at_)gmail(_dot_)com> wrote:
I'm not quite sure how we got from the question of how to
do crypto better as a means to provide stronger privacy
protections to the value of Facebook, to be honest.
Possibly because of the key signing proposal.
It's not an accident. IMHO PGP is friending done right, in the sense that
only you and your friend need know you friended each other. There's no
central service provider who knows who's friends with whom, for all values of
whom.
But here's some anecdata. Got a FB friend request from
someone I didn't know, checked him out and we seemed to have
quite a few friends in common, so I accepted. When he did,
in fact, turn out to be a jerk I wrote to some of the
friends-in-common and it turns out that nobody knew who he
was - a few people with lax friending policies had accepted
his friend requests and that formed the basis for a bunch of
the rest of us assuming he'd be okay.
Don't blame your friends. I never friend anyone I don't know personally. Our
different styles illustrate the problem rather nicely... :)
At any rate I think it's pretty clear that the semantics
of pgp signing are not agreed-upon and that's led to a
lack of clarity around individual decisions about key signing.
I find pgp useful for sloppy, casual, but easy-to-use crypto
but I certainly wouldn't want to use it as the basis for
assurances about identity, etc.
Yes. But it is still _very_ useful.