[Cryptography] PGP Key Signing parties (Trust Link Grid)

Ralf Senderek crypto at senderek.ie
Thu Oct 31 12:17:33 EDT 2013


I'd like to fuel the interest in a more closely knit Web of Trust for
PGP keys with a bit of history.

In 1998 a book was published (in very small numbers) that contained a few hundred
people's public keys with their fingerprints, mainly from academic circles.
It was called "The Global Trust Register 1998". The book certainly helped me to establish
a trust chain to the PGP key used to sign the PGP source code at the time.

As the book put certain prominent PGP keys in print it helped to make circulation
of faked keys more difficult. But it certainly was not able to provide an infrastructure
that anyone could use to gain first-hand-knowledge of PGP keys.

In 2001 I discussed a proposal with Ross Anderson that might have closed that gap
but it was not being advanced at the time, so I'll describe it briefly here for evaluation:

    The Trust Link Grid (TLG)

    "The initiative is based on the assistance of a number of volunteers to make sure that
    a reliable public PGP key is in reach of 100 Km globally, by establishing a grid of nodes
    that publish first-hand-knowledge about PGP keys, that cannot be forged easily.

    The TLG should provide a solution to this problem:

      "How can anyone gather enough evidence based on non-electronic
       first-hand personal knowledge to be sure that a key of whatever
       kind is really used by a certain individual to the best of
       the knowledge of those who published the first-hand information."

    I hope it will be possible to encourage individuals to act as
    a "Trust Link Node", as a contact person for others to confirm
    some first-hand information to them. I don't know how many
    volunteers would be needed but to cover Britain twenty individuals
    would make sure that a reliable key is no more than 6o Km away.

    Each node creates a Trust-Link-Key and verifies his key to the
    node in the north, east, south and west. That takes no more than
    400 Km of driving each, leaving a "Trust-Link-Statement" with
    every person contacted.

    Every node publishes the TL-key together with at least four
    TL-statements on a website, which confirm that there had been
    a personal contact and a key verification procedure that meets
    certain standards (like A-level keys in GTR).

    This should not absorb too much energy. And with every additional
    personal contact (at conferences or whatever) between two volunteers
    a node can collect new TL-statements to be published on their
    local website as well." (Jan. 2001)

This decentralized approach does not need a globally agreed-on standard
in contrast it only uses signed ascii messages stating first-hand knowledge
in plain english, that has been gathered without electronic means but is
verifiable by checking the TL-statements for any path you like.

The trust that lies in the grid is founded on the risk that a publicly stated
first-hand knowledge by a node turns out to be false. That would harm the online
reputation of the individual that is running the node, as there are always at least
four more independent TL-statements from other people for each such information.

   "The main purpose of the initiative is risk reduction.
    Unlike normal signatures on keys trust link statements have
    semantics they state facts that make it risky to cheat
    both for the nodes and for the local individual.
    The reliability depends on the consistency of the system,
    that some fact is independently confirmed by others whose
    keys can be verified in a similar way, relying on other keys
    which in turn have a number of independent verifications." (Jan 2001)




More information about the cryptography mailing list