[Cryptography] How to build trust in crypto

Guido Witmond guido at witmond.nl
Mon Mar 17 18:10:03 EDT 2014

On 03/17/14 15:42, Ralf Senderek wrote:

> One of you key points is the role your/our blog/web site plays in
> preparing the ground for the trusted channel between two site users.
> As I see it, there is an important element missing, which is context.
> With a few messages signed on your blogsite, all I have is a public
> key but no context about the individual behind it. Can I trust the
> public key? I don't know, because of a lack of context.

Indeed, without context, a key is just meaningless, it's all about what
people do.

> Bruce Schneier's new PGP key (EDACEA67) has only one signature, it's
> self-signed. If I found some meaningless comment or blog post signed
> with EDACEA67 at myblogsite, I would not trust this pubkey to secure
> a meaningful, secure contact to Bruce. It is the context in which
> the key appears, Bruce's website, that induces trust even if he
> deliberately abstains from using any kind of PKI.

And that is exactly the way I envision it. Active communities where
people learn of each other, interact, gain trust in each other, gain and
lose reputations. Reputations based upon pseudonyms. Easy to shed off by
deleting a private key. Ready to start over, without long lasting effects.

> Your focus obviously is on anonymity, but I think that in avoiding
> context, we don't get trust. The introduction of your website as an
> intermediary should not just be used as a technical match-maker, it
> should also be able to reliably tie context information to the public
> keys you are using as identities.

The anonymity/pseudonymity is very important for me. It allows people to
participate in a community while hiding their true identities.

People cannot be free when there is a group that monitors every aspect
of your life, connecting dots that you want to keep separated.

In [1], I describe a use case of Ugandan gays who want to meet without
getting to jail for it.
In [2], I describe how this protocol can be used by journalists, a world
where Snowden would not had to have to teach Greenwald how to use
cryptography. There I give it context.

I guess, in the past, I didn't make that context clear enough.

Regards, Guido Witmond.

1: http://www.metzdowd.com/pipermail/cryptography/2014-March/020417.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140317/b259e953/attachment.pgp>

More information about the cryptography mailing list