The future of security

Guus Sliepen guus at
Sun May 30 18:31:06 EDT 2004

On Sun, May 30, 2004 at 12:36:53PM -0700, bear wrote:

> The bigger problem is that webs of trust don't work.
> They're a fine idea, but the fact is that nobody keeps
> track of the individual trust relationships or who signed
> a key;  few people even bother to find out whether there's
> a path of signers that leads from them to another person,
> or whether the path has some reasonably small distance.

PGP keys are used extensively in the Debian community; new developers
are only accepted if their PGP key has been signed by another Debian
developer, so that their always is a trust path from one developer to
any other. Some important things, like the upload of new packages or
submitting votes, will only be accepted by the automated services if
everything is properly signed.

There is a strong incentive in this community to have a signed PGP key;
if you didn't have one you couldn't do anything. In other areas there
just is no incentive for having such a thing... like email; it works
even if you don't sign it.

> I have not yet seen an example of "reputation" favoring
> one person over another in a web of trust model; it looks
> like people can't be bothered to keep track of the trust
> relationships or reputations within the web.

I think that's because the tools are lacking. GnuPG can determine trust
paths, but you have to manually assign trust levels to certain keys
and update the trustdb (which takes an awfully long time). If it would
just work a bit faster and determine and show trust paths out of the
box, I think PGP's web of trust model would be used a lot more.

Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <>

More information about the cryptography mailing list