PGP's "Web of Trust" -- useless?

[Joe Chou]

-----BEGIN PGP SIGNED MESSAGE-----BY SAFEMAIL-----

Hello all,

What do people here think of key certification and the "Web of Trust"?

Recently, I was pondering the fact that my complete web of trust is
limited to exactly 2 keys -- my key, and my fiancee's -- where we've
each signed our own and other's keys, and no one else has. Clearly,
this is not particularly useful.

Similarly, other's have pointed out that the majority of keys people
receive, either directly from the owner or from keyservers, are signed
*only* by the key's owner, leaving a web of 1 node. Hmm.

Should anyone even *care* that webs aren't more extended? A recent post
by: jba...@madge.com (Jill Baker)

>You should be clear that certification is a private thing, and *MEANS NOTHING*
>on a public key server. I can count on the fingers of one hand the number of
>people I would trust as "introducers". A key certified by anyone _else_ is the
>same as an uncertified key as far as I'm concerned. Why should I care if
>someone I've never heard of says your key is genuine?
>
>I would advise you to take the same approach. Only trust as introducers people
>you know _personally_ - personal friends; people you know you can trust; and
>so on.
>
>As far as key servers are concerned there is a much BETTER method of
>authentication than relying on certification, and that is by making use of the
>"Key Fingerprint" feature of PGP. What you do is this - you widely publicise
>your key ID and fingerprint in as many media as possible - in your email sig;
>in snail-mail/fax headed notepaper; by phone - you get the idea. Then what
>happens when someone wants to write to you is that, knowing your key ID they
>download it from a keyserver, then they check the fingerprint. If it is
>correct, the key is genuine.
>
> Jill (my opinions are my own, no-one else's)
>-----------------------------------------------------------------------
> PGP Key ID: 0xB26FC709
> Fingerprint: 72 C4 EB 30 E1 42 27 90 D0 76 A1 0D E1 52 0C 15

If you agree with Jill, which I guess I do, then the whole web of trust
is moot -- at most, you will only trust keys that are TWO steps away,
certified by someone you absolutely trust. This web will probably be too
small to be useful.

Yet, I think that since the certification mechanism is already in place,
it should be used, even if you don't fully trust it.

I was exploring the AT&T PGP key pathserver at:

http://akpublic.research.att.com:80/~reiter/PathServer/

...and it was actually quite cool! Something like the concept of 8
degrees of separation between you and anyone else in the world. Since
my personal web is only 2 people, I chose an arbitrary person as
the absolutely trusted key: who else but Phil Zimmermann would do?
(Of course, there's no way for me to know that the keyserver's key
for PZ is REALL his, who cares about the 8 certificates of people I
don't know? And so what if PZ's web page has the same key -- perhaps
his key was intercepted along the way and replaced with his evil twin's)

Anyway, I then tried to generate paths to other random people who've been
posting on the PGP newsgroups: Galactus, Ian Hebert, and Jill Baker. The
pathserver actually found 1 path between PZ and G, 2 between PZ and IH,
and none to JB (I noticed later that her key isn't signed by anyone but
herself. Duh.)

As Jill pointed out, this mean's nothing, because I don't really trust
anyone absolutely except my fiancee and me, but still, a not-fully-trusted
web seems to be more useful than no web at all.

I would favor more promiscuous key certification, to propagate a larger
web. No longer a web of "trust", but at least a web of leads you could
follow to more directly confirm the key's validity.

As it stands now, the system is so conservative as to be useless.

Anyone else agree with this?

Joe (or, the guy who when he posts, posts as Joe, but you don't know if
it's really Joe, it could be an imposter. But the imposter, whoever
he is, consistently signs with key ID 0x3FA76F7D)

(or, the guy who wants to have someone else to sign his key, so he
can feel a connectedness to the world through the AT&T pathserver)

-----BEGIN PGP SIGNATURE-----BY SAFEMAIL-----
Version: 1.0b4 e22

iQCVAwUBMoT+SgtQSc4/p299AQEUSwP+Mfg4VQWW6b72bGwnCZMyke6DUAa+cRHN
+l0o21FY1hwsX+JKUU5vD0lAS/VomaPzWPl2tFzl/p+CHEg3er65Fbth9kNjyooX
/eg+bdhVWipOEos/jtD/Mes8KbwM99bO4mxQK7B7/0PtAFwsrAtS+0QvdhQ85f2+
QjGhRJxqH3o=
=cmBZ
-----END PGP SIGNATURE-----

--
| Joe Chou <jc...@socrates.ucsf.edu>
| http://devbio-mac1.ucsf.edu/joe.html
| PGP Public KeyID 0x3FA76F7D: at Web Page or Key Servers
| PGP Fingerprint [004C 5A68 CC2F DA20 3999 3355 0E8D 7B3F]

[Geoff Joy]

On 9 Nov 96 22:06:22 GMT, jc...@cgl.ucsf.edu (Joe Chou) wrote:

[snip]

>What do people here think of key certification and the "Web of Trust"?
>

You sign your own key to prevent forgery of your signature, not to
establish trust. I trust your key by confirming by _independent_
means that it is really your key and signature. A signed cleartext
message is only proof that the person signing the message has access
to the passphrase that unlocks the secret key that matches the public
key that signs the message. It serves only to give you deniability of
forged messages.

[snip]

>I would favor more promiscuous key certification, to propagate a larger
>web. No longer a web of "trust", but at least a web of leads you could
>follow to more directly confirm the key's validity.
>
>As it stands now, the system is so conservative as to be useless.
>
>Anyone else agree with this?
>

I don't agree. I don't know PZ or anyone named in your post. I don't
trust their keys any more than I trust yours. The web of trust serves
organizations when a third party (Ira) known to two other parties (Ann
& Betty) who don't know each other but need to establish
communications. Ira can introduce Ann to Betty. Betty trusts Ira to
vouch for Ann, Ann trusts Ira to vouch for Betty. They each need not
trust Ira to the same degree, but they can now trust each other's keys
more than they could without Ira. But the web works here because Ira
is the trustee, known to both parties.

I place no trust in keys of persons I don't know personally. I will
not sign their keys. In the global sense the 'web of trust' is
"broken", but in the security sense it's working.

Having more signatories does not make a key more trustworthy. Having
only one trusted signatory is sufficient even if that signatory is the
owner of the key.

--
Geoff Joy - ke6qh - http://users.deltanet.com/~geoffj/
PGP public key available on public key servers.
1024/EF05C6D1 1995/12/21 <geo...@deltanet.com>
8B 28 1E 93 6E 10 D8 A3 73 1C 23 77 9A 4C 2F 9F

[Mel Wilson]

In article <jchou.8...@cgl.ucsf.edu>,
jc...@cgl.ucsf.edu (Joe Chou) wrote:
> [ ... ]

>Yet, I think that since the certification mechanism is already in place,
>it should be used, even if you don't fully trust it.

Certification you don't trust? What is that?

> [ ... ]

>I would favor more promiscuous key certification, to propagate a larger
>web. No longer a web of "trust", but at least a web of leads you could
>follow to more directly confirm the key's validity.
>As it stands now, the system is so conservative as to be useless.
>Anyone else agree with this?

As it stands now, I think the problem is really that PGP is not
widely used to protect important information. When we have solid
reasons to use Webs of Trust, then we will get off of our backsides and
create them. Till then, I'm just practicing.

Regards. Mel.

(And think of the keyservers! Who could afford to store the key file
if every key user-id were signed by everybody else?)

[Hal Finney]

In article <jchou.8...@cgl.ucsf.edu> jc...@cgl.ucsf.edu (Joe Chou) writes:

What do people here think of key certification and the "Web of Trust"?

Recently, I was pondering the fact that my complete web of trust is

limited to exactly 2 keys -- my key, and my fiancee's -- where we've
each signed our own and other's keys, and no one else has. Clearly,
this is not particularly useful.

[...]

If you agree with Jill, which I guess I do, then the whole web of trust
is moot -- at most, you will only trust keys that are TWO steps away,
certified by someone you absolutely trust. This web will probably be too
small to be useful.

I think these are good points. The limitation with the web of trust
is that you have to trust the person who is serving as an "introducer"
and who has signed the key. This means that you have to personally
know someone who has signed the key of the person you want to
communicate with. In general, with 5 billion people in the world,
this will not be practical. But on the other hand you probably don't
need to communicate very often with a randomly chosen person on the net.

The web of trust works best if there is a relatively tightly knit
group of people who want to communicate securely. One or a few
members of the group can sign everyone's keys. In the corporate
environment, security officers may be designated who will do this, and
employees mark their signatures as trusted. But the same idea could
be used in an academic community, an online discussion group, and so
on.

In your case, if you wanted to communicate with your fiancee's
friends, she could sign your key and be the introducer which her
friends would trust to validate your key. In some social circles this
would be useful, in others, not. It depends on how the group
communicates.

Hal