Web of trust at Internet Scale

Sam Hartman <hartmans-ietf@mit.edu> Wed, 09 April 2014 17:51 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 4314A1A02F2 for <ietf@ietfa.amsl.com>; Wed, 9 Apr 2014 10:51:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.465
X-Spam-Level: *
X-Spam-Status: No, score=1.465 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NXm2OWVPQLvV for <ietf@ietfa.amsl.com>; Wed, 9 Apr 2014 10:51:01 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com []) by ietfa.amsl.com (Postfix) with ESMTP id D34251A02E9 for <ietf@ietf.org>; Wed, 9 Apr 2014 10:51:01 -0700 (PDT)
Received: from localhost (localhost []) by mail.painless-security.com (Postfix) with ESMTP id 999C1206D4; Wed, 9 Apr 2014 13:50:41 -0400 (EDT)
Received: from mail.painless-security.com ([]) by localhost (mail.suchdamage.org []) (amavisd-new, port 10024) with ESMTP id 1XoMDaZhWoJx; Wed, 9 Apr 2014 13:50:37 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-50-177-27-27.hsd1.ma.comcast.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 9 Apr 2014 13:50:37 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id EC93181B05; Wed, 9 Apr 2014 13:50:54 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: dcrocker@bbiw.net
Subject: Web of trust at Internet Scale
References: <20140409154919.11E6118C106@mercury.lcs.mit.edu> <534580AF.4080602@dcrocker.net>
Date: Wed, 09 Apr 2014 13:50:54 -0400
In-Reply-To: <534580AF.4080602@dcrocker.net> (Dave Crocker's message of "Wed, 09 Apr 2014 12:17:35 -0500")
Message-ID: <tslbnwas875.fsf_-_@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/uB_f6PVebaNGmJ4vMbH0M1Ugyls
X-Mailman-Approved-At: Thu, 10 Apr 2014 08:16:34 -0700
Cc: Noel Chiappa <jnc@mercury.lcs.mit.edu>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 17:51:04 -0000

>>>>> "Dave" == Dave Crocker <dhc@dcrocker.net> writes:

I have no idea how we got from security for ietf.org services to this.
I hope we're not going to pilot Phil's e-mail trust model in the IETF,
even though I think his work has significant value.

    Dave> The interesting premise in the suggestion is that a web of
    Dave> trust key management model is useful at Internet scale.

    Dave> I don't understand why anyone believes that.

I'm not sure that's actually an implied premise.

I guess bulk mailers do need to communicate with people at Internet

The rest of us not so much though.
Yes, I can communicate with anyone on the Internet.
However, the set of people that I communicate with is smaller than
that.  The set of people for whom I need trusted communication is even

>From my experience in the open-source and product-security communities
(some of the larger web of trust users), web-of-trust tends to work well
when people are communicating with a small enough set of people that
they can make individual authorization decisions but where that set is
drawn from a large enough infrastructure that shared key management is

We're seeing something similar as we're putting together the Moonshot
deployment of ABFAB federation.  There's value in some environments  in
having a large trust infrastructure from which I actually trust only
some principals.

I think that the same is likely true for some uses of secure e-mail.