[614] in WWW Security List Archive
Re: Netscape Changes RSA tree
daemon@ATHENA.MIT.EDU (Jason Dawes)
Mon Apr 24 01:05:02 1995
From: Jason Dawes <dawes@dstc.qut.edu.au>
To: www-security@ns2.rutgers.edu
Date: Mon, 24 Apr 1995 10:11:35 +1000 (EST)
Errors-To: owner-www-security@ns2.rutgers.edu
> The PGP Web-of-Trust model is more general, and hierarchies are
> a special case of it, so if you've got web-of-trust support in your software,
> it'll work just as well for certificates from a certificate company,
> military ID cards, anarchist collectives, or your anti-nuclear group.
> Nobody needs permission from anybody's organization, and you can
> build any structure into it that you want; all you need to use it
> are reliably-known keys from somebody well-connected, whether you
> view that person as being on the top or merely in the middle.
>
> Hierarchical certification is often not appropriate.
> Generality is good, and it's not much harder than hierarchy,
> and it's a much better thing to build into a tool that will
> be widely used.
The PGP model makes it very difficult to verify the certifiers of someones
signature in a reliable way. With no hierarchy implicit, there is no easy
way of finding a common point of trust (In a hierarchtical model, possibly:
a Notary Public) without some sort of exhaustive search.
Yes, that may be their public key, but can you prove it?
Jason Dawes
--
===============================================================================
Jason Dawes | Internet: dawes@dstc.qut.edu.au
Research Scientist | Phone: +61-7-864-5337
Co-operative Research Centre for | FAX: +61-7-864-1282
Distributed Systems Technology. | URL: http://www.dstc.edu.au/intro.html
===============================================================================
