[guardian-dev] Public Web of Trust Must Die?

Hans of Guardian hans at guardianproject.info
Thu Jul 11 13:19:05 EDT 2013 

On Jul 11, 2013, at 10:30 AM, Peter Todd wrote:

> On Mon, Jul 08, 2013 at 07:08:01AM -0400, Nathan of Guardian wrote:
>> 
>> At GP, we talk a great deal about offline keys and direct device-to-device alternatives for building private web of trust links between people.
>> 
>> What more can or should we do in our work with GnuPG on Android?
> 
> Huh?
> 
> The whole point of the web-of-trust is to be able to determine if a PGP
> key for someone you *don't* already have a personal relationship with is
> valid. That implies that the web-of-trust is public information. Yes, in
> some cases this is a bad thing, in many cases it isn't.
> 
> You may very well decide to that the web-of-trust is too dangerous for
> your average user, but recognize that alternatives to it for its
> intended purpose all have their own drawbacks like dependence on
> centralized PKI infrastructure. For the device-to-device use-case GPG
> supports non-exportable local-use-only signatures anyway.
> 
> In any case the metadata of "who has signed what key" is far less
> interesting and reveals much less information than metadata about every
> message sent between users. Never mind the authors bizzare obsession
> with Michael Vario's harmless vandalism.

The web-of-trust (WoT) does not have to be a binary, all or nothing thing.  The public WoT is a very useful thing and there are certain things that it solves that are only possible by having the data public, for example software distribution like Debian, etc..  But we are also thinking about other use cases.   For example, if you are part of a large group of people organizing a protest in a repressive country, you'll be talking to a group of people larger than the people you know, but that information does not need to be public for it to be effective.

You can have offline, peer-to-peer syncing of the certification signatures, so you know that the only of people who have this p2p WoT data will be people who have physically met up.  Sure, someone could leak that info, but that is always the case, like Snowden just demonstrated with Top Secret NSA and FISA data.  There could be an even more limited WoT where you enforce how many hops away the people are before they are allowed to be sync.  Like only people two hops away would be synced, so when you sync with someone, only the people they have directly signed would be synced with you.

.hc

More information about the Guardian-dev mailing list