At 8:38 PM 5/18/96, bryce@digicash.com wrote: ...(my points elided)...
All of these are products of misconceptions between using the WoT to certify identities, versus using it to certify how much you trust a person to certify someone else's identify, versus using it to certify arbitrary other qualities about a person.
Bryce, we've differed several times before about the web of trust, especially "man-in-the-middle" issues. This looks to be the same sort of issue. I personally don't see key-signings as mainly useful for verifying the "true name" of someone whose key I sign. (I don't check birth certificates, passports, driver's licenses, etc.) Rather, I view _my_ key signings as forms of vouching, or endorsement. Not of all views, naturally, but as a statement that the person whose key I am signing is someone I know and "trust" (in the sense that the key belongs to the person I "know." Thus, I know Eric Hughes, even though he may actually be Fritz Kacynski, drop-out math student.
For example, there is no reason why the hypothetical racist "Tom Metzger" would sign no black people's keys. A key signature (PGP style) is just an assertion about the identity of someone. Haven't racists engraved markings on people's clothes, buildings, land, bodies and other belongings in order to identify the owners? So why not do the same for keys.
Sure, he could do it. I'm saying that there's also a significant chance he has no black friends or no blacks he deals with on a regular enough basis to even be _asked_ to "vouch" for them, much less _agree_ to sign their keys. (This is the way it really does work in the real world, at least for many of us. People who ask me to sign their keys from afar will get no response from me. I don't even care if they fax me their birth certificates, etc. Only people I have met or interacted with directly, or who seem to be known by enough of my friends, get their keys signed.) Now I can certainly see other folks signing keys on a different basis: upon presentation of a valid passport, comparison of footprint with that on birth certificate, etc. Such "credentialling agencies" will be valuable players (to some) in the ecosystem of key-signers. I'm just saying that I'm certainly not in the business of checking credentials for free, and hence only sign keys for people I know fairly well, or who know my own friends fairly well.
This is illustrative of how much confusion reigns about keys, certs, nyms, signatures and cetera right now.
I hope that TCMay is pointing out how _most_ people lack a proper understanding of the differences, rather than reflecting his own lack of understanding.
Bryce, I respect your views on this and MITM issues, but the fact that we view things differently (and that Phil Z. views things differently from you, and perhaps from me) should not always be ascribed by you as "reflecting lack of understanding."
Phil Zimmermann was confused about this, I think, when he wrote "Trust is not transitive.". Some kinds of trust _are_ transitive (with a coefficient, of course). Hm. I wonder if there are kinds of trust whose transitivity coefficient is 1?
Well, I wrote up my thoughts on how work on "belief networks" is less confusing that the term "web of trust." I believe different agents will use these belief networks in different ways. Some will be focused on the issue of True Names and will calculate beliefs on the basis of how much they think the key-signers are being diligent enough in checking identities. Others will use belief networks to convey trust that one is not a government agent (a practical example being the use of PGP and webs of trust in the jungles of Burma, where I am quite sure the "keyrings" did not deliberately include government agents, regardless of how well they "proved" their identity! There is no single ontological interpretation of belief networks. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."