[guardian-dev] Public Web of Trust Must Die?
Peter Todd
pete at petertodd.org
Thu Jul 11 10:30:51 EDT 2013
On Mon, Jul 08, 2013 at 07:08:01AM -0400, Nathan of Guardian wrote:
>
> At GP, we talk a great deal about offline keys and direct device-to-device alternatives for building private web of trust links between people.
>
> What more can or should we do in our work with GnuPG on Android?
Huh?
The whole point of the web-of-trust is to be able to determine if a PGP
key for someone you *don't* already have a personal relationship with is
valid. That implies that the web-of-trust is public information. Yes, in
some cases this is a bad thing, in many cases it isn't.
You may very well decide to that the web-of-trust is too dangerous for
your average user, but recognize that alternatives to it for its
intended purpose all have their own drawbacks like dependence on
centralized PKI infrastructure. For the device-to-device use-case GPG
supports non-exportable local-use-only signatures anyway.
In any case the metadata of "who has signed what key" is far less
interesting and reveals much less information than metadata about every
message sent between users. Never mind the authors bizzare obsession
with Michael Vario's harmless vandalism.
--
'peter'[:-1]@petertodd.org
00000000000000590458ab3c01c2ff504af2c3728086367ec4a7c58ef042f822
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130711/efb6b664/attachment.pgp>
More information about the Guardian-dev
mailing list