certificate chain depth

Robert J. Hansen rjh at sixdemonbag.org
Sat Apr 25 23:45:26 CEST 2009


david wrote:
> it's a value judgement - that over time, changing conditions may not 
> reflect the "trust" one had in regard to the person.

This is why signatures can be revoked.

> I'm not likely to put trust into systems.

Really?  You already have.  For instance, do you have the capability,
right here, right now, to grow or obtain your own food?  If not, then
you're trusting in your local food distribution system.  If it goes out,
then you're in a world of hurt.  Do you have the capability to obtain
potable water?  If not, then you're trusting your water system.

The question is not _if_ you trust, but _who and what_ you trust, and
whether that trust will be a blind trust or an examined trust.  Blind
trust tends to get people in a lot of trouble; examined trust lets you
prepare for what happens if and when that trust is breached.

There's a reason why I have three days of MREs and ten liters of
drinking water in my pantry.  I trust food distribution and I trust my
water system.  And it's because of that trust that I have backups.

On balance, I think it is better to practice examined trust than
unexamined trust.  But that said... I am an advocate of trust.

> or (it just struck me) that I may want to compromise some one 
> (shudder)

Compromise means you have failed to uphold your publicly stated policy.
 If people are able to put you in a position where you have to
compromise your policy, that should be the cause for some soul-searching
about where you erred in your policy.

If your policy is, "I will divulge communications if required to by a
court, or if necessary to prevent lawless action, or to save human
life," and you go out and do just that -- that's not a compromise at all.

> where are we now then? a small group of people that's fairly secure

If by "secure" you mean "my system is not compromisable and my
communications cannot be intercepted," then none of us are secure.  None
of us are even fairly secure by that standard.

Generally speaking, GnuPG gives excellent protection against one
particular part of the communications security profile.  It is not a
comprehensive solution.

If my system is secure and my communications are uncompromised, it is
only because I have not yet risen to the notice of those who have the
power to change it, while I have simultaneously put myself beyond the
likely reach of amateurs.

To the extent there is a "fairly secure" worth talking about, that's it.
IMO, that's not "fairly secure" at all.  It's best to keep a sense of
proportion about these things, and not to fall into a false sense of
security.




More information about the Gnupg-users mailing list