|
|
Subscribe / Log in / New account

An update on GnuPG

An update on GnuPG

Posted Oct 10, 2017 23:18 UTC (Tue) by wa (subscriber, #107586)
In reply to: An update on GnuPG by droundy
Parent article: An update on GnuPG

Two noob comments/questions:

1 - Can't trust be a continuous variable rather than binary, where trust is built up over time? Once this is in place it might invite mechanisms for verifying against an increase in trust over time. TOFU would then increase trust from 0 to some base value <1.

2 - If there is a peer2peer network WoT verification could be automated. This could be a network of email contacts and presumably could be automated.

Does that make sense?


to post comments

An update on GnuPG

Posted Oct 11, 2017 3:36 UTC (Wed) by gdt (subscriber, #6284) [Link]

> where trust is built up over time?

Presumably you mean "built up with use". But it's a different measure: just because I'm regularly mislead doesn't mean that I'm not mislead.

The converse situation happens regularly. If you've ever been to a keysigning you'll have lots of highly-trusted keys (you've seen their passport, driver's licence, a mutual friend of a decade vouched for them, and no one in a room of a hundred people said they were someone else), but you might never correspond with them. Why should this lack of correspondence lower their trust score?

> If there is a peer2peer network WoT verification could be automated

Doesn't really help, as there's no reason for one p2p peer to be more trusted than another. So all the peers could announce differing public keys and you'd have no notion as to which is the genuine key.

The point of using the e-mail provider is that they can be more trusted than some other server, as the email service has additional means to associate that public key with the email address (eg, the public key was uploaded using the userid+password for the mail service).


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds