IETF Logo Mail Archive

Re: pgp signing in van

Melinda Shore <melinda.shore@gmail.com> Sat, 07 September 2013 03:13 UTC

Return-Path: <melinda.shore@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5B6621F9D7C for <ietf@ietfa.amsl.com>; Fri, 6 Sep 2013 20:13:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jiwhzv01m5Cz for <ietf@ietfa.amsl.com>; Fri, 6 Sep 2013 20:13:01 -0700 (PDT)
Received: from mail-pb0-x230.google.com (mail-pb0-x230.google.com [IPv6:2607:f8b0:400e:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 6BDDF21F9D7A for <ietf@ietf.org>; Fri, 6 Sep 2013 20:13:01 -0700 (PDT)
Received: by mail-pb0-f48.google.com with SMTP id ma3so3948722pbc.35 for <ietf@ietf.org>; Fri, 06 Sep 2013 20:13:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=7XZemqP+jcBm8r8DUJqS9gSXqE+7wJvqJbN2aAZ+nug=; b=XIc18DSj2xGfLHS0CXSghLfIXUPYGfpT4BQNZzSfKQ1zegh3XJzZ/BSfIuCqK7BXQk 8e2DkoTKO+21wPbTcsWV1o3wcSvmB5HkpGyVnUNXvl46o4YZgcdS/gh46d2OXyHbeqzf dNSDoDSEQeI+ffA1GNziTrjWa4kl9jyBA35Ul+HNX8stleD72QO6CcoE6Q5C4DkeV+sk D+oYcImgl84+JmzjCl9z8NWmNNhqlTcu3WBRrFYLLgpT5XcSSBnJXs9WyUCNoZrja+S/ 9lFd2JGMBzuJ7wLfsPVHRN0mq9njD4lZqlpKwYl3IKmmKg7J65XjowTJw9uZD8KNx0PS zLVw==
X-Received: by 10.66.171.13 with SMTP id aq13mr7445101pac.30.1378523581207; Fri, 06 Sep 2013 20:13:01 -0700 (PDT)
Received: from spandex.local (66-230-112-61-rb1.fai.dsl.dynamic.acsalaska.net. [66.230.112.61]) by mx.google.com with ESMTPSA id qp10sm1455825pab.13.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 06 Sep 2013 20:13:00 -0700 (PDT)
Message-ID: <522A99BA.7000103@gmail.com>
Date: Fri, 06 Sep 2013 19:12:58 -0800
From: Melinda Shore <melinda.shore@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Ted Lemon <ted.lemon@nominum.com>
Subject: Re: pgp signing in van
References: <m2zjrq22wp.wl%randy@psg.com> <2309.1378487864@sandelman.ca> <522A5A45.7020208@isi.edu> <CA2A6416-7168-480A-8CE1-FB1EB6290C77@nominum.com> <522A71A5.6030808@gmail.com> <6DE840CA-2F3D-4AE5-B86A-90B39E07A35F@nominum.com> <CAPv4CP_ySqyEa57jUocVxX6M6DYef=DDdoB+XwmDMt5F9eGn1A@mail.gmail.com> <A6B01C4B-B59A-49FD-9524-D49F85750BF7@nominum.com> <522A9105.60108@gmail.com> <D2B391D8-B7D9-4A17-BF34-1DAEA2144339@nominum.com>
In-Reply-To: <D2B391D8-B7D9-4A17-BF34-1DAEA2144339@nominum.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Cc: IETF discussion list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Sep 2013 03:13:01 -0000

On 9/6/13 7:04 PM, Ted Lemon wrote:
> It's not at all clear to me that "serious" trust mechanisms should be
> digital at all.   

They're not.

> Be that as it may, we have an existence proof that
> a web of trust is useful—Facebook, G+ and LinkedIn all operate on a
> web of trust model, and it works well, and, privacy issues aside,
> adds a lot of value.  

I'm not quite sure how we got from the question of how to
do crypto better as a means to provide stronger privacy
protections to the value of Facebook, to be honest.
Possibly because of the key signing proposal.

But here's some anecdata.  Got a FB friend request from
someone I didn't know, checked him out and we seemed to have
quite a few friends in common, so I accepted.  When he did,
in fact, turn out to be a jerk I wrote to some of the
friends-in-common and it turns out that nobody knew who he
was - a few people with lax friending policies had accepted
his friend requests and that formed the basis for a bunch of
the rest of us assuming he'd be okay.

At any rate I think it's pretty clear that the semantics
of pgp signing are not agreed-upon and that's led to a
lack of clarity around individual decisions about key signing.
I find pgp useful for sloppy, casual, but easy-to-use crypto
but I certainly wouldn't want to use it as the basis for
assurances about identity, etc.

Melinda

v2.23.0 | Report a Bug | By Email