Talk:Web of trust
|
reason for contrasting discussion
The discussion in this article on non Web of Trust schemes is included to contrast with Web of Trust. Many readers will not see, merely from an account of one, its vices/virtues with respect to the other. In this sense it is neither extraneous nor off-topic for this article. ww 18:01, 8 May 2004 (UTC)
- It is certainly valuable info. I forsee a time in which it is augmented and put in an article of its own, and this article can focus on the comparisons rather than the meat. Thanks for your other edits. NealMcB 21:05, 2004 May 8 (UTC)
- You're welcome. There are several other articles on PKI, X.509, certificates, and such. This being the only one on Web of Trust, the reasons for preferring it (being in contrast to the main alternative) needed to be made evident to the reader. Whether one agrees with them (or should or shouldn't) or not. ww 15:05, 10 May 2004 (UTC)
'collapse of comm PKIs' phrase
Many commercial PKIs are no longer functional as the companies which controlled them have collapsed
I don't think of a PKI as being a distinct thing formed by each root cert, but as a broader thing based on a particular technology and set of interlocking certs, servers, etc. And the heirarchies are unfortuately still functional in the sense that people trust the certs in them - that is the danger. NealMcB 21:05, 2004 May 8 (UTC)
- Nealmcb, This was mine. I was attempting to convey in a word (and seem to have failed to do so) that the reason for said (now failed) PKIs to exist -- providing trust for users in the validity of public keys in certificates for which they vouch -- has become non functional. The sense in which you took it wasn't intended. Can you suggest an alternative wording which doesn't miscarry but achieves the intent? ww 15:05, 10 May 2004 (UTC)
- I knew that was what you meant, but I think the other point is more important, and this consequence is obvious once the other is pointed out. NealMcB 20:53, 2004 May 10 (UTC)
- Neal, I have looked at your rev and don't think Our Reader (the not so crypto guy) will see it as obvious as you suggest. I've added some explicit phrasing. See what you think. ww 16:23, 11 May 2004 (UTC)
- I knew that was what you meant, but I think the other point is more important, and this consequence is obvious once the other is pointed out. NealMcB 20:53, 2004 May 10 (UTC)
- Thanks for pluggin' away. Some improvement, but also some regression, I think. In particular, calling a rooted hierarchy of certs a "PKI" goes against all the usage I see, since the infrastructure includes so many other things.
- Neal, What we do with a cert is our choice, but the PKI exists to attest to the binding (and fix various goofs, as in a CRL) so that what we do can have some credibility to various observers including ourselves. All else is 'syntactic sugar', sort of. At least in conceptual terms. Surely, there's much else, but is it needed here? Can't see how to be correct without also being a red herring in some sense. At least an 'unnecessary' detour, by some definition of necessary. Ideas? ww 14:40, 12 May 2004 (UTC)
- I also think we need to avoid suggesting that a pgp cert binds a key to a user. It just binds a key to a description of the key, usually an email addr, or many of them. They may indicate different roles of one user, or many users may hold shared responsibility for a key (e.g. via secret sharing), etc. Ellison's SPKI literature elaborates on this notion, which affects X.509 even worse. I'll try to add some more comments when I get a chance. NealMcB 18:26, 2004 May 11 (UTC)
- Neal, I was trying so hard to avoid getting into what a 'user' was. Sigh... You are clearly correct that the binding is not to an entity (person, virtual person, dog, goldfish, ...) but to a description of some such. But if we fall into this, many will be the troubles we'll be heir to. On the one hand brevity and lucidity (if fog and some inaccuracy), on the other precision and prolix obscurity. You takes your choice of poisons. Perhaps a reference to an article discussing the meaning of identity in electronic terms (including cert binding and attestations thereto)? Your turn to gyre and gimble in the wabe of the briar patch. (yonder be Harris and Dodgson, spinning). ww 14:40, 12 May 2004 (UTC)
'PGP WofT chugs on' phrase
The PGP web of trust, in contrast, has continued regardless
Having modified the antecedent as noted above, I took this out. Also because certainly many PGP keys are also no longer well managed and at risk. But we could say lots about the robustness benefits of a multiply-connected PKI vs a single heirarchy. NealMcB 21:05, 2004 May 8 (UTC)
- N, The intent was to note that (whether or not you like it) PGP's WofT, warts and all, was unaffected by the commercial upheaval. Still a point worth making for the reader, I think. ww 15:05, 10 May 2004 (UTC)
- I love the PGP WoT. But it is also used by commercial entities some of which have surely gone out of business or stopped maintaining their certs. That's why I think a discussion of architectural issues is the way to go. NealMcB 20:53, 2004 May 10 (UTC)
- Neal, Well.... I'm not sure I love it, I just think it doesn't centralize something that's not best done centrally. If you don't know how to design a system/scheme/protocol that's bullet proof, let folks do it themselves. If they then shoot themselves in the foot, it's sad, but the best available. But anyway, the point that the WofT has continued despite the burst bubble is, I think still worth making. That many PGP keys (including one of Schneier's -- see Practical Crypto) are no longer valid is not really apposite here, I think. True though, and probably should be pointed out. I've made a change which tries to do so. Comment? ww 16:23, 11 May 2004 (UTC)
- I love the PGP WoT. But it is also used by commercial entities some of which have surely gone out of business or stopped maintaining their certs. That's why I think a discussion of architectural issues is the way to go. NealMcB 20:53, 2004 May 10 (UTC)