[629] in WWW Security List Archive
Re: Netscape Changes RSA tree
daemon@ATHENA.MIT.EDU (Hal)
Tue Apr 25 17:07:19 1995
Date: Tue, 25 Apr 1995 10:06:38 -0700
From: Hal <hfinney@shell.portal.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Re web of trust versus hierarchy models:
The big difference I see is that the web of trust at least as implemented
in PGP is "non transitive". That means that there is no mechanism to
follow a chain of trust from one signer to another. If A signs B's key,
and B signs C's, then just because I trust A as a signer that gives me no
basis to conclude that C's key is valid, and in fact PGP has no support
for this kind of reasoning.
With the hierarchical approach, OTOH, there is the assumption that trust
is transitive in this sense. If RSA signs the key of MIT, and that key
signs the MIT computer-science department key, and that key signs the
key of some member of the CS department, then if I trust the RSA hierarchy
I do conclude that the final key in the chain is valid. The reason is that
(as I understand it) RSA, in signing the MIT key, is not just saying that
the key in fact belongs to someone at MIT, but also that the owner of that
MIT key will itself only sign keys correctly and responsibly. So I
don't have to evaluate the trustworthiness of every key in a certificate
chain; rather, there is an implicit promise on the part of each key that
the key below it is trustworthy. This conclusion is aided by the fact
that the hierarchy is not expected to be too deep, probably no more than
three or four levels at most.
The problem with the web of trust used by PGP is you need to know and
trust one of the signers of a key you want to use (unless you are going
to try to validate the key yourself independent of any signatures). This
works OK within localized groups where in fact most discussion occurs, but
will not work so well when you are talking to strangers.
Hal Finney
hfinney@shell.portal.com
