An update on GnuPG
An update on GnuPG
Posted Oct 10, 2017 23:18 UTC (Tue) by wa (subscriber, #107586)In reply to: An update on GnuPG by droundy
Parent article: An update on GnuPG
1 - Can't trust be a continuous variable rather than binary, where trust is built up over time? Once this is in place it might invite mechanisms for verifying against an increase in trust over time. TOFU would then increase trust from 0 to some base value <1.
2 - If there is a peer2peer network WoT verification could be automated. This could be a network of email contacts and presumably could be automated.
Does that make sense?
Posted Oct 11, 2017 3:36 UTC (Wed)
by gdt (subscriber, #6284)
[Link]
Presumably you mean "built up with use". But it's a different measure: just because I'm regularly mislead doesn't mean that I'm not mislead.
The converse situation happens regularly. If you've ever been to a keysigning you'll have lots of highly-trusted keys (you've seen their passport, driver's licence, a mutual friend of a decade vouched for them, and no one in a room of a hundred people said they were someone else), but you might never correspond with them. Why should this lack of correspondence lower their trust score?
> If there is a peer2peer network WoT verification could be automated
Doesn't really help, as there's no reason for one p2p peer to be more trusted than another. So all the peers could announce differing public keys and you'd have no notion as to which is the genuine key.
The point of using the e-mail provider is that they can be more trusted than some other server, as the email service has additional means to associate that public key with the email address (eg, the public key was uploaded using the userid+password for the mail service).
An update on GnuPG