undefined | Better HN

0 pointsReelin5y ago0 comments

> But trust isn't transitive so PGP's apparently more powerful offering doesn't actually do anything ...

Trust in the abstract isn't inherently transitive, agreed. I'd argue that employing PGP as though it were is misusing the tool (that might well be easier to do than it ought to be, but that's a different conversation).

WoT as realized by PGP seems to me to be a very good tool for manually assessing whether to trust a previously unknown key for someone that a third (untrusted) party sends you.

I remain highly optimistic that some future take on the WoT concept will be advanced enough to tackle trust in general in a distributed manner.

0 comments

rrdharan5y ago

> WoT as realized by PGP seems to me to be a very good tool for manually assessing whether to trust a previously unknown key for someone that a third (untrusted) party sends you.

https://inversegravity.net/2019/web-of-trust-dead/

ReelinOP5y ago

That article isn't particularly relevant to what I said.

The issues it describes only affect keyservers that behave in a specific manner. I'd also argue that a keyserver behaving that way in the first place is fundamentally flawed for the reason pointed out by @tialaramex above - trust isn't transitive in the generalized case (nor is it boolean IMO).

It is still entirely possible for a small group (say a FOSS software project) to engage in cross signing. Previously unseen keys received from an untrusted (or less trusted) third party can then be judged on a case by case basis by manually assessing how many times they have been signed and by which keys.

(Similar to above, I believe Matrix employs cross signing among the keys of a single user.)

j / k navigate · click thread line to collapse