ec2-44-221-70-232.compute-1.amazonaws.com | ToothyWiki | RecentChanges | Login | Webcomic

Yay! Let's all use PublicKeyEncryption?! One problem, how do we know that the public key that contains your user id is one for which you and only you have the corresponding private key?

I mean, it's easy to get a key id: mine's 17308CBE; you can download it from a public keyserver.

If you want to know for sure that the key you get is actually mine, you can ask me and I'll tell you that the fingerprint is 8840 04E5 CDA4 A4C4 9B0D  7661 CE4C D855 1730 8CDE. There, easy. Of course you actually have to ask me using a more trustworthy channel than the one you used to get the key itself, otherwise the exercise is futile. To be sure, you should get the fingerprint from me in person. Then you should check that the key corresponding to the fingerprint has a user id that corresponds to me in terms of my name (check my passport) and my email address (encrypt an email to me and send it to that address). (FixMe?: trust is not simply a magntitude)

In PGP and GPG one signs a public key of someone when they know it can be trusted.

Now, suppose I can't meet someone (Bob) personally, but I want to be able to get a key from them that I can trust. How can I do that? Well if I trust someone else (Charlie) who has signed Bob's key using a key that I know I can trust, then Charlie's signature can provide a link of trust, suggesting that I can trust the key that looks like Bob's to really be Bob. This of course depends on Charlie's credentials. I might not want to rely fully on Charlie, so let's say I know (and have signed the key of) yet another person (Dave) who has also signed Bob's key. Now I can be a bit more sure.

The web of trust in this case looks like this:

  \                      ,^

A good way to help build the web of trust is to take part in a KeySigningParty?.

MoonShadow is willing to sign keys of people who visit TheFlat in person and pass on his public key to them at the same time. People who trust MoonShadow's key can then have some measure of trust in each other's keys without having to meet each other to exchange them.

Just for the sheer insanity of it, ChrisHowlett will start carrying his fingerprint to GamesEvening. His key is already available from his wiki homepage, but is probably too long to carry with him.
ChrisHowlett has previously had laser surgery to remove them?  --Vitenka ;)
I had a feeling that comment would garner some comedic remarks. I'm quite surprised no-one's [WikiQuote]""ed it yet, TBH --CH

Sensibly - have any web of trust systems become useful yet?  Last time I looked, they were tiny, and people were deliberately gaming them in order to show off specially big (or small) numbers.  (Many trusters, low root path)  Have branches been revoked due to malicious signers?  --Vitenka

What do you make of the Web of Trust described in this [article on Google's future] ?
Well, that article is two years old, and says, effectively, that the HardAI? problem of NaturalLanguageProcessing? will be solved.  Which would be nice... but if that happens we get a whole revolution in HCI? and todays google becomes irrelevant.  --Vitenka
Umm...  No it doesn't.  At least not to my eye.  All it says it that banks upon banks of relationship data will be put up on the internet in the same way that web sites are now and that Google is in an excellent position to take advantage/manipulate/motivate such a trend.  The relationship data itself that was mentioned was all of the form <item> is made of <component>, <component>... <person> likes <person>, <person> trusts <person>...  with the actions themselves being pre-defined keywords.  NaturalLanguageProcessing? didn't actually come into it.  Obviously NLP would help such a process but certainly wouldn't seem to be a requirement. --K
Oh, I apologise, I thought it was a diiferent article which starts very similarly.  I doubt that people are going to start adhering to global schema any time soon - and inferring the schema requires NLPOTOP, yes, Google has a good head start on the ability to rapidly index vcast quantities of data, which will clearly be an important part of searching any repository.  --Vitenka

It would be nice if, instead of just an alphanumeric string such as "8840 04E5 CDA4 A4C4 9B0D 7661 CE4C D855 1730 8CDE", you could also use software such as [Stylegan] to procedurally generate from the string (and a standard well defined set of baseline data that's widely available and hard to tamper with) an image or small collage of images that the human brain better tailored to remembering, such as human faces.  Then you could be introduced to someone at a party, learn their name and be shown their fingerprint image without having to write either down then, once back home the next morning, look up their public key on a server, and see at a glance that the image generated from the fingerprint of the key you've just downloaded over a possibly insecure internet connection matches the image your saw the previous evening and so know the key you downloaded is the one the person at the party wanted you to have. --DR (who too often finds himself meeting people at events when there's no phone or pen available).

By the way, that could combine nicely with [Ileana Buhan's idea https://www.zdnet.com/article/exchanging-pictures-to-generate-passwords/] of two people generating a key known only to them, by seeding it upon data from a pair of photographs (one of each person), taken when they met in real life.  If the protocol used to generate human-face-fingerprint-images permitted input from the biometrics of the people who generated the key (or, perhaps, who signed it), you'd end up with a WebOfTrust that bore a visual resemblance to a complex family tree (or perhaps a [graph of relationships in a poly community]). --DR


ec2-44-221-70-232.compute-1.amazonaws.com | ToothyWiki | RecentChanges | Login | Webcomic
Edit this page | View other revisions | Recently used referrers
Last edited May 24, 2021 11:27 am (viewing revision 13, which is the newest) (diff)