[Smaug] Webs of Trust signing etiquette

Eric Cain ecain@phosphor.net
Thu Jan 17 00:50:01 2002


On Wed, Jan 16, 2002 at 09:07:50PM -0800, David Correa wrote:
> Peace,
> 

Peace.

> -snip-
>
> There is no need to be a brain surgeon to understand this procedure.
> 
> My point is that, since the photo ID is a crucial part of this procedure
> then the "photo ID" needs to be a trusted one. I would "trust" more a
> CISCO badge (i worked there as a consultant and I know they do a real
> background check) than I would trust a CA drivers license or a student ID.
> 
> For all practical purposes since we at SMAUG can probably only
> request CA drivers license or student ID, then the web of trust
> is really an illusory one, unless we base our trust in each others
> actions, comments, interest and participation in the
> SMAUG works.

True. One can claim to be someone they're not and provide a fake ID. No
one can refute that. Most of the keys I've signed are from people with
established identities both offline and online but even that can be
false. (It would require some work to establish this false identity but
it can be done.)
 
> Since we probably agree that no single method of authentication is
> perfect, why be so anal about just using my key to encrypt an email
> with a username/password. After all the idea was for me to be able
> to help SMAUG.

Sure. Read on.

The reason I required either in-person username/password exchange or a
well-signed key was to prevent _someone_else_ from sending me a key,
claiming to be a SMAUGer, and gaining access. I do not think that this
was unreasonable. My purpose in requiring these was to ensure that this
information did not fall in to the wrong hands. Also note that just
because a key is signed doesn't mean I'll trust it. It depends on who
signed it. I certainly didn't forsee this sparking a flame thread.

The signing process is not perfect but the ownership of a key is more
certain when a large quantity people whose ability to properly sign a
key can be counted on. It is unlikely alot of people would be decieved
in the same way. Numerous quality signers might out-weigh concerns of
authenticity.

I am careful about the use of the word "trust" here. At the very least
I hope you understand why I said I did not trust[2] your key. Key
trust[2] is, for the most part, procedural and should not be confused
with personal trust[1].

Of couse, all of this is moot when the people involved have directly
verified each other's key. Even if one of the individuals were to
falsify his identity, either that person owns the key or he doesn't. If
he doesn't, he can't access the information anyway. These individuals
have already agreed to exchange information and trust[2] each other's
key at least for the purposes of exchanging information.

With that said, we should close this issue. I can honestly say with
in a reasonable doubt that I believe that David Correa is who he says
he is. I did from the beginning. Also understand that "key trust" is
not equivilant to "personal trust." I trust[1] you but I rarely
trust[2] a key that isn't (at a minimum) close to me in my
web-of-trust.

Exceptions can be made depending on the application. If one is
satisfied that a key belongs to its owner, that may be all that is
necessary. A signature is not required for these specific individuals
to exchange information. Others may not trust[2] the key but that is
irrelevant.

I will provide David with the username and password provided the group
(the owner of the domain) has no objections and provided David hasn't
fled the group. We both live in Santa Cruz and he has provided me with
an alternate means of contact. I don't require that we even use PGP/GPG
+ email for this exchange. There are a number of reasonable means of
information exchange.


Here's to a prosperus 'UG,

 Eric


[1] having integrity, reliable, having confidence in
[2] deemed authentic (by a personally determined scale)