1996-04-29 - Re: connecting Uni to the Web O Trust

Header Data

From: bryce@digicash.com
To: sameer@c2.org
Message Hash: a04d2f9820626d3fafe1f9db80fd43f9678ffa89fc7d416f8ee52d48f72ec2e4
Message ID: <199604290846.KAA01661@digicash.com>
Reply To: <199604290521.WAA21769@atropos.c2.org>
UTC Datetime: 1996-04-29 18:46:18 UTC
Raw Date: Tue, 30 Apr 1996 02:46:18 +0800

Raw message

From: bryce@digicash.com
Date: Tue, 30 Apr 1996 02:46:18 +0800
To: sameer@c2.org
Subject: Re: connecting Uni to the Web O Trust
In-Reply-To: <199604290521.WAA21769@atropos.c2.org>
Message-ID: <199604290846.KAA01661@digicash.com>
MIME-Version: 1.0
Content-Type: text/plain


 sameer@c2.org wrote:
(> Black Unicorn <unicorn@schloss.li> wrote:)
> > (Sigh).  I'll say it yet a third time.  Get a current copy of my key which
> > is signed by at least three people on the web of trust.
> 	As if this "web of trust" was actually worth something.

It is most certainly worth something, as long as the
participants exercise the necessary measures to detect and
correct any active attacks on it.  The primary reason that
the Web O Trust is ineffective at this point is the
prevalence of misunderstandings among users (including
cypherpunks) about its usage and its efficacy.

As an example of these prevalent misunderstandings, I submit
to you the fact that PGP keyservers do not use PGP, either
for encryption or authentication.  If you suggest it to them
(or indeed, to most cypherpunks) they will respond that it
would "do no good".  Ridiculous.

It's a shame really, since if we _did_ have the wits to
create a Web O Trust now, it would serve to prevent active
attacks in the future.

Hopefully the public key infrastructure people will come up
with something that will replace the WoT and will be more
understandable or acceptable to people.

In the meantime, I cannot have much confidence in the
security of my private communications with Black Unicorn,
which makes me hesitant to exchange money with him.

Unfortunate that cypherpunks are so ineffectual when it
comes to "social engineering" (not in the "social cracking"



Version: 2.6.2i
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2