Web Of Trust
Posted in gnupg, Web of Trust on January 13th, 2008 at 07:35:10I really like the Leaf of Trust diagram, and from there I was able to wander out to a lot of different sites. For example, I was able to see that if you remove the most recent signature I obtained, from a Ari Pollak (on NYE, while drinking Tequila… eerily reminiscent of the xkcd comic posted earlier that day), the web of people who trust me is about one third the size under the default trust model: without Ari, With Ari. As far as I understand it, the default is to go 5 levels deep: this means that without Ari, I get to 2953 people, but with his sig, I get to 10272 people. Not a bad jump.
Things like this always make me want to go out and expand the web of trust. The fact that there only appear to be ~38,000 keys is almost an embarrassment. There are a number of reasons for this — the gnupg documentation, for example, practically screams “If you’re not an expert, don’t use this toolset”, which is hardly the right attitude for building the web of trust. More poignant to me, though, is the fact that it’s a somewhat difficult social barrier to break to move from exchanging business cards — which I do with ease — to exchanging IDs and GPG fingerprints. I’m hopeful that I’ll be able to overcome this, because I’d really like to stop seeing the “Signature is not trusted” warnings in my mail client. But also because I think building a stronger web of trust is important in general. Currently, the web is something where you can trust who is saying something. I’m hopeful that that can be changed.
That said, I don’t think that GPG-style public key web of trust stuff is likely to be the solution in the long term. It seems like karma-based systems — where determining who someone really is is less important than determining that what they say makes sense — are the ‘wave of the future’. However, I’ve always lived in the past as far as noticing that technology is changing — and I’m not about to change that now.
So, if anyone meets me, and wants to exchange fingerprints, please feel free to ask! I’ve started carrying copies of my gpg fingerprint in my wallet, so I can exchange keys with confidence — and even if I can’t sign your key, you can sign mine. If you’re running Debian (or Ubuntu), ‘caff’, a utility provided by the ‘signing-party’ package, is super-useful for this: Simply type ‘caff C90820BA’, and it will show you the fingerprint and ask you if you want to sign. You compare the fingerprint to the piece of paper you have with the correct ‘print written on it, hit yes, and it then sends it off to the email in the key. I have no problem breaking the social barrier that prevents pulling out ID to prove who you are — I just have a problem doing it first.