From: Vipul Ved Prakash <vipul@pobox.com>

by what i understand pgp's "web of trust" scheme has flaws. according to pgp (alice trusts jane, jane trusts snoopy, bob trusts alice) implies bob trusts snoopy.

No, this is not true. PGP does not implement any form of trust delegation as you have described here. Rather, each person must explicitly indicate that they trust someone as a key signer. Without that individual action, snoopy and bob in the above example are useless to alice as key signers. What PGP does do is that if alice has indicated that she trusts jane and snoopy, and she needs a key for bob, she can use bob's key signed by snoopy and snoopy's key signed by jane to decide that she has a good key for bob. Just having bob's key signed by snoopy is no good, even if alice trusts snoopy, because she can't be sure that she actually has snoopy's key. So she needs snoopy's key signed by someone else that she trusts, in this case jane.

what is required is a reputation system wherein trust is _qualified_ rather than _quantified_. its senseless to say i trust him five units. it will be more appropriate if pgp has a separate tag for "type of trust" or something like that.

this kind of thing can be difficult to handle, since it a fuzzy parameter. add to the problem a global-system like internet where all communication is not person to person. i was wondering if there are any working mathematical models for reputation systems, and how successful they are.

There was considerable discussion in the design of PGP's key signatures on this issue, and Phil decided against trying to let people express publicly how much they trust others. Among other things, he was afraid that people would feel compelled to lie for social reasons, leading to inaccurate trust estimates and weak key validations. There has been considerable discussion in the "official" Internet encryption working groups (PEM and its follow-ons, for example) about issues of trust in the context of Certificate Authorities which exist in a hierarchical structure and sign each others' as well as end users' keys. Different CA's may have different policies about how they check identity, and figuring out from this how much trust to put in a key certificate ends up being a potentially messy problem. I also found a paper several years ago, I think by the USC/ISI people, about systems which would allow trust delegations in a model more like the web of trust. Also some of the recent work by Matt Blaze and (largely independently) Ron Rivest for generalizations of key certificates could perhaps serve as a basis for extending trust in a web model. Hal Finney