pretty good reputation

Hal hfinney at shell.portal.com
Sat Jun 15 19:34:32 PDT 1996 

From: Vipul Ved Prakash <vipul at pobox.com>
> by what i understand pgp's "web of trust" scheme has flaws. according to 
> pgp (alice trusts jane, jane trusts snoopy, bob trusts alice) implies 
> bob trusts snoopy.

No, this is not true.  PGP does not implement any form of trust
delegation as you have described here.  Rather, each person must
explicitly indicate that they trust someone as a key signer.  Without
that individual action, snoopy and bob in the above example are useless
to alice as key signers.

What PGP does do is that if alice has indicated that she trusts jane and
snoopy, and she needs a key for bob, she can use bob's key signed by
snoopy and snoopy's key signed by jane to decide that she has a good key
for bob.  Just having bob's key signed by snoopy is no good, even if
alice trusts snoopy, because she can't be sure that she actually has
snoopy's key.  So she needs snoopy's key signed by someone else that she
trusts, in this case jane.

> what is required is a reputation system wherein trust is  _qualified_ 
> rather than _quantified_. its senseless to say i trust him five units.
> it will be more appropriate if pgp has a separate tag for "type of trust"
> or something like that. 
> 
> this kind of thing can be difficult to handle, since it a fuzzy 
> parameter. add to the problem a global-system like internet where all 
> communication is not person to person. i was wondering if there are 
> any working mathematical models for reputation systems, and how 
> successful they are.

There was considerable discussion in the design of PGP's key signatures
on this issue, and Phil decided against trying to let people express
publicly how much they trust others.  Among other things, he was afraid
that people would feel compelled to lie for social reasons, leading to
inaccurate trust estimates and weak key validations.

There has been considerable discussion in the "official" Internet
encryption working groups (PEM and its follow-ons, for example) about
issues of trust in the context of Certificate Authorities which exist in
a hierarchical structure and sign each others' as well as end users'
keys.  Different CA's may have different policies about how they check
identity, and figuring out from this how much trust to put in a key
certificate ends up being a potentially messy problem.

I also found a paper several years ago, I think by the USC/ISI
people, about systems which would allow trust delegations in a model more
like the web of trust.  Also some of the recent work by Matt Blaze and
(largely independently) Ron Rivest for generalizations of key
certificates could perhaps serve as a basis for extending trust in a web
model.

Hal Finney

More information about the cypherpunks-legacy mailing list