[7595] in cryptography@c2.net mail archive
Re: A proposal for secure videoconferencing and video messaging over the Internet
daemon@ATHENA.MIT.EDU (amanda)
Fri Jul 28 12:19:44 2000
Message-Id: <200007280740.e6S7eNH07338@smtp.wineasy.se>
From: amanda <amanda@wineasy.se>
To: <eugene.leitl@lrz.uni-muenchen.de>
Cc: <coderpunks@toad.com>, <cryptography@c2.net>
Date: Fri, 28 Jul 2000 07:41:12 "GMT"
Perhaps you wouldn't trust your WOT with you life, but at least you know
that there is some accountability in the signature chain. If you find that
Mallory has a key that says "Bob'" then you can follow the
signatures. When you find the person who admits that he signed a key that
he didn't verify then you can kick his sorry ass.
The trust metric doesn't have to be boolean. Look at Verisign's WOT, where
everybody have a number of points. Bank Managers start with 100 points and
you and me start with 0 points. Your number of points increase whenever a
high-pointer signs your key. People younger than 21 gets fewer points etc.
http://www.thawte.com/certs/personal/wot/
Amanda.
On Thu, 27 Jul 2000, Eugene Leitl wrote:
> amanda writes:
> > You are not supposed to trust key servers. It is the keys that you trust,
> > because they are signed by someone you trust (the CA or your WOT).
>
> I'm a bit hazy on this web of trust thing. I can trust my close
> friends (I think). I would sign their keys. They would sign mine. So
> far ok. But I'm not sure the chain letter would still work, if
> propagated long enough. The trust metric is boolean, and it does not
> use consensus, right?
