Re: pgp signing in van

On 9/6/2013 11:04 PM, Ted Lemon wrote:
> On Sep 6, 2013, at 10:35 PM, Melinda Shore 
> <melinda(_dot_)shore(_at_)gmail(_dot_)com> wrote:
> > I actually don't think that pgp is likely to be particularly
> > useful as a "serious" trust mechanism, mostly because of
> > issues like this.
> It's not at all clear to me that "serious" trust mechanisms should be digital at all.  
>  Be that as it may, we have an existence proof that a web of trust is useful�Facebook, G+ 
> and LinkedIn all operate on a web of trust model, and it works well, and, privacy issues aside, 
> adds a lot of value.   IETF uses an informal web of trust, and it works well.   Most open source 
> projects use informal webs of trust, and they work well.   PGP signing for software distribution 
> works well.
I think there is a "webs of trust" tendency to believe the negative or 
the worst isn't going to happen, well, to you, until its does or at 
least rears its head. There are many forms. Its a different set of 
mentalities with victims. Including the worth of dealing with it when 
its local vs wide spread.
The question is, can we cover the protection of them all, 
communications wise, with protocols, guidelines and tools?
> What these mechanisms are not is a web of trust that you could use to 
> authenticate a real estate transaction.   You shouldn't accept them as 
> signatures on legal contracts.   You shouldn't use them to transfer large sums 
> of money to strangers.   But they are definitely useful.
I think the best IETF can do is to make it available for 
consideration, and of course, use good engineering, and ethical, 
common sense.
We have conflictive goals among many in the market place, which is now 
global, and its even within market and technology leaders.  The IETF 
deals with communications and that should include with the end users 
as well.  Who are the IETF customers?
--
HLS