LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

LWN.net Weekly Edition for June 6, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Trust, but verify

Trust, but verify

Posted Feb 22, 2010 11:45 UTC (Mon) by dkg (subscriber, #55359)
Parent article: Trust, but verify

Thanks for the writeup, Jake! A comment about terminology. You wrote:

In practice, if Adam signs Bonnie's key, and Clarisse trusts Adam, that means that Clarisse can trust Bonnie's key. Whether Clarisse should trust David's key, which is signed by Bonnie, depends to a large extent on how much she trusts Adam.
[...]
if Adam has published a trust signature for Bonnie saying that she is fully trusted by him, and Clarisse fully trusts Adam (publicly or privately), she is likely to trust David's key.

statements like the above get confusing pretty fast because you're using the term "trust" in two very different ways. You're not the first to do this -- the gnupg documentation itself conflated these ideas until relatively recently.

In trying to clarify what's happening here, i prefer to drop the (abused) term "trust" altogether, and instead use two separate ideas: "ownertrust" and "calculated validity":

  • Ownertrust answers a question about a key. It answers the question "how much do i think i can rely on certifications issued by the person (or persons) who control this key?"
  • Calculated validity answers a question about a (key,user ID) pair. It answers the question "How strongly do i believe that this key belongs to someone with the given User ID?" ("with the given User ID" usually means "with the given real name and e-mail address" in the case of people, or "the ssh or https service at a given hostname" in the case of service User IDs)
Web of Trust-based cryptosystems like OpenPGP use a person's explicitly-stated ownertrust to help them automatically calculate the validity of a key for its User ID.

Thanks also for your highlighting the usability point. Modern tools have done a terrible disservice to ordinary users. We offer all kinds of flashy nonsense, but have done very little to offer intelligible, critical information like "your daughter Amanda (who understands these things) confirms that this is in fact the web site of the credit union you both use, and not a scam." I'd love to see that change.

As more of our society moves online, normal people need functional tools to help them manage their digital identity. People can make good choices when they're asked in a context and a framing that they understand.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds