WoT question - policy

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Nov 16 17:31:35 CET 2018


On Fri 2018-11-16 17:00:33 +0100, Stefan Claas wrote:
> I understand your points, but like to point out my view of sig0
> and why i think it is not good and why i wrote a policy that way.

I think you're talking about this:

>     With the sig0 approach i have the following problem: I could create
>     a couple of fake keybase accounts, for example, give each other a
>     sig0 and then what is this good for if i follow the advise from the
>     blog and what trust should a third party gain from this many sig0 on
>     such a key?

I confess i do not understand what this has to do with sig0.  Surely the
same "attack" can be mounted via sig2?  I also don't know what "advise
from the blog" means, and i don't think the word "trust" in the final
question is well-defined -- what third party gains what kind of trust?.
Sorry to be so dense!

In response to the situation i *think* you're describing, i'd say:

   If you rely on mere quantity of any type of certification from
   parties you cannot identify and have no clear reason to trust, then
   you are open to a trivial Sybil attack. 
   [https://en.wikipedia.org/wiki/Sybil_attack]

>> Keep it simple.  (or, don't bother)
>
> Agreed, use X.509... ;-)

eh?  I have never said (and would never say) that X.509 is "simple".
it's grossly overcomplicated for what it's typically used for, even
worse than OpenPGP.

>  (disagree, see my point when it comes to Protection of Minors)

I think you're referring to this part of
https://stefan_claas.keybase.pub/policy.txt:

> ***Protection of minors***
> 
> While there is no law, as far as i know, which says you are only allowed
> to use strong encryption tools if you are an adult i like to point out
> one thing which parents or young teenagers, brand new to PGP / GnuPG and
> the Web of Trust, must understand.
> 
> The word trust does *not* mean: Hey, this is a cool girl or guy, i can trust,
> because he/she uses PGP/GnuPG and has signatures on his/her public key. It simply
> means that it publicity states that "someone" has somehow attested that the public
> key belongs to that "person".
> 
> Therefore i strongly advise parents and young teenagers to backup the secret
> key, *including the passphrase* written on a piece of paper. Deposit them in a 
> safe place. Backup your communications and encrypt to yourself. Should something
> happen law enforcement is then able to read the messages.

The middle paragraph is exactly the point i was making in my earlier
mail -- definitely agree. :)

But i fail to see what any of this has to do with minors specifically
(surely the good guidance applies after reaching the age of majority as
well), or how law enforcement happened to sneak in at the end there.  I
suspect you're imagining some specific scenario that i don't know about,
but i don't know what it is or how it relates to OpenPGP certification.

Regards,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181116/6745232c/attachment.sig>


More information about the Gnupg-users mailing list