The future of security

Eugen Leitl eugen at leitl.org
Mon May 31 03:25:14 EDT 2004 

On Sun, May 30, 2004 at 12:36:53PM -0700, bear wrote:

> > > If I'm a node in a web of trust (FOAF is a human), prestige will
> > > percolate through it completely. That way I can color a whole
> > > domain with a nonboolean trust hue, while a domain of fakers will
> > > have only very few connections (through compromises, or human
> > > mistakes), which will rapidly sealed, once actually used to do
> > > something to lower their prestige ("I signed the key of a spammer,
> > > please kill me now").
> >
> >The trouble is that it requires human action, which is expensive and
> >becoming more expensive.

Sending mail originating with a person always requires human action.
If one cannot be bothered to mark friends in his addressbook as humans (in
fact, the very act of adding someone to an addressbook is sufficient, that
information just needs to be processed).

Do spammers have many friends? They certainly network.
 
> The bigger problem is that webs of trust don't work.
> They're a fine idea, but the fact is that nobody keeps
> track of the individual trust relationships or who signed

The point of an automated web of trust is that the machine is doing the
accounting for you.

> a key;  few people even bother to find out whether there's
> a path of signers that leads from them to another person,
> or whether the path has some reasonably small distance.

Human network connectivity have such properties. The entire graph is
connected, and each person is reachable via a few hops. Given that there are
only a few billion people on this planet, such a database should be quite
easy to store and to query in a P2P fashion. It only becomes nontrivial when
it has to distributed, and immune to content forgery and DoS.
 
> I have not yet seen an example of "reputation" favoring
> one person over another in a web of trust model; it looks
> like people can't be bothered to keep track of the trust
> relationships or reputations within the web.

The real issue is whether people can volunteer information stored in their
addressbook. Not everybody is an Orkut/Friendster/FOAF exhibitionist.

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20040531/7d797d5b/attachment.pgp>

More information about the cryptography mailing list