|
|
Subscribe / Log in / New account

Fedora considers removing NIS support

Fedora considers removing NIS support

Posted Nov 9, 2021 17:19 UTC (Tue) by nix (subscriber, #2304)
In reply to: Fedora considers removing NIS support by LtWorf
Parent article: Fedora considers removing NIS support

> Well you can exchange numbers on dating apps, for work, you can post ads with your phone to sell your old couch, and as I said the phone audio quality is not nearly the same as real world audio.

Sure! But in all these cases these are people you don't actually know at all. Surely in that case the trustworthiness of the communication is kinda irrelevant? The relevant point is the one you knew before you started: this is a number that connects to someone you don't know, and you have no actual reason to trust that the phone number is the number you think it is. No PGP-style web of trust would help here either because *you don't know this person*: the PGP web of trust's trust should be zero (though thanks to the lunacy that is transitive trust, if the web was wide enough it might *not* be zero, entirely falsely) and the Signal web of trust tells you "I trust that this person owns this phone number" -- but you still don't trust the phone number! And this is mostly something that human beings in the real world are familiar with: though mistakes in this area do happen and are the foundation of a lot of social engineering attacks, many of which are as old as the telephone and at least some of which have been in existence for as long as the mail (e.g. who wrote the letter which exposed the Gunpowder Plot? Some speculate that it might have been Robert Cecil, the then Secretary of State... that's the exact same attack, in the early 17th century.)

And this idea (a phone number which claims in the place you found it to be e.g. a work number but is actually someone else's) is a social engineering problem which cannot possibly be fixed by any sort of technical solution below a hypothetical reliable global identity service (and then you have to worry about the people who run that service). No such service exists, nor likely can it in the absence of a trustworthy world government.

(I don't think the security of Signal or PGP in re determining the trustworthiness of your communicants is likely to be relevant with regard to selling your old couch. You don't need to trust those people to do anything but give you money and turn up and take your couch away, and if they don't do the one they don't get the other. You don't *need* to trust them or know who they are.)

to post comments

Fedora considers removing NIS support

Posted Nov 9, 2021 19:35 UTC (Tue) by farnz (subscriber, #17727) [Link]

A Web of Trust (WoT) doesn't have transitive trust by default; owner trust is set by you, and not imported from the key servers (ever).

If you don't trust anyone else's assertions about a link between an identity and a key, then you do not give anyone other than yourself owner trust. You end up with key trust only existing for keys that you've verified yourself.

In practice, this isn't how identity works in human interaction - you trust not only identities that you've verified yourself, but also identities that other people give you in an introduction. A published signature from me on someone else's key is the WoT equivalent of me being willing to introduce this person under this identity to anyone I know; you can decide how much introductions from me are worth (owner trust), and that will lead into the WoT algorithms deciding whether you'd be willing to trust a key based on who's willing to introduce you to the owner of that key.

Now, the GPG implementation of the WoT has a lot of UX problems, which mean that it gets into a bad state - but that's not WoT style, that's GPG's implementation:

  1. "Ultimate" owner trust binds key trust (how confident you are that the key belongs to the ID that claims it) to owner trust (how much you trust the key owner's introductions).
  2. It uses jargon. "Owner trust" is GPG's term for how confident you are that someone can be trusted to verify that a key and identity match up, "key trust" is GPG's term for how confident the WoT is that the identity and key match. Owner trust has no transitive component - that's entirely set by you based on how confident you are that you can trust a person, while key trust is transitive from owner trust.
  3. When displaying key trust to you, the outcome is binary; either a key is verified, or it isn't. It would be a lot better if you knew how trusted a key was, even though only 100% key trust affects whether or not owner trust comes into play.
  4. There's only three levels of owner trust - by default, 0%, 33% and 100%, although you can tweak in config - which doesn't map well to the way people think about trust.
  5. Related to the above, there's no way to have multiple levels of owner trust for the same person depending on context; for example, in a work context I might have full owner trust in my manager, but in a home context, I might only have limited trust.

In terms of the jargon, if I were willing to put the work in to fix WoT issues, I'd make "owner trust" the only form of trust; "key trust" would become "verification". Then, keys that are fully verified would have their owner trust used to help verify more keys; trust remains something that you only set manually.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds