[Cryptography] How to build trust in crypto
Guido Witmond
guido at witmond.nl
Mon Mar 17 18:10:03 EDT 2014
On 03/17/14 15:42, Ralf Senderek wrote:
> One of you key points is the role your/our blog/web site plays in
> preparing the ground for the trusted channel between two site users.
> As I see it, there is an important element missing, which is context.
> With a few messages signed on your blogsite, all I have is a public
> key but no context about the individual behind it. Can I trust the
> public key? I don't know, because of a lack of context.
Indeed, without context, a key is just meaningless, it's all about what
people do.
> Bruce Schneier's new PGP key (EDACEA67) has only one signature, it's
> self-signed. If I found some meaningless comment or blog post signed
> with EDACEA67 at myblogsite, I would not trust this pubkey to secure
> a meaningful, secure contact to Bruce. It is the context in which
> the key appears, Bruce's website, that induces trust even if he
> deliberately abstains from using any kind of PKI.
And that is exactly the way I envision it. Active communities where
people learn of each other, interact, gain trust in each other, gain and
lose reputations. Reputations based upon pseudonyms. Easy to shed off by
deleting a private key. Ready to start over, without long lasting effects.
> Your focus obviously is on anonymity, but I think that in avoiding
> context, we don't get trust. The introduction of your website as an
> intermediary should not just be used as a technical match-maker, it
> should also be able to reliably tie context information to the public
> keys you are using as identities.
The anonymity/pseudonymity is very important for me. It allows people to
participate in a community while hiding their true identities.
People cannot be free when there is a group that monitors every aspect
of your life, connecting dots that you want to keep separated.
In [1], I describe a use case of Ugandan gays who want to meet without
getting to jail for it.
In [2], I describe how this protocol can be used by journalists, a world
where Snowden would not had to have to teach Greenwald how to use
cryptography. There I give it context.
I guess, in the past, I didn't make that context clear enough.
Regards, Guido Witmond.
1: http://www.metzdowd.com/pipermail/cryptography/2014-March/020417.html
2:
https://www.newschallenge.org/challenge/2014/submissions/make-internet-security-easy-to-use-no-brains-needed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140317/b259e953/attachment.pgp>
More information about the cryptography
mailing list