WebOfTrustInfo / rwot1-sf

RWOT1 in San Francisco, California (November 2015)
http://www.WebOfTrust.Info
322 stars 87 forks source link

PGP & Vectors of Trust? #17

Open ChristopherA opened 9 years ago

ChristopherA commented 9 years ago

/re PGP-Paradigm.pdf #569b5a4 /cc @joncallas

One thing that I've always wanted with PGP was when I signed someone's key was that I could notate more the quality and effort of my validity assertion. For instance, vector of trust-like assertion about:

etc. Why didn't some type of these type of assertions evolve in the PGP ecosystem? Was it purely a matter of it being too UX complex for the expected average user? Or an issue of validity vs trust? Or am I missing something?

joncallas commented 9 years ago

They exist. Section 5.2.1 of RFC 4880. At one time during the discussions of transition from 2440 to 4880, we were looking at removing them, and they got put back in because people wanted them.

I don't think they're used not only because of UX — GnuPG implements just about everything so it would be trivial to do, it's more that no one knows what they mean. That's the reason we were looking at removing them in the first place.

Here's what 4880 says:

0x10: Generic certification of a User ID and Public-Key packet.
   The issuer of this certification does not make any particular
   assertion as to how well the certifier has checked that the owner
   of the key is in fact the person described by the User ID.

 0x11: Persona certification of a User ID and Public-Key packet.
   The issuer of this certification has not done any verification of
   the claim that the owner of this key is the User ID specified.

 0x12: Casual certification of a User ID and Public-Key packet.
   The issuer of this certification has done some casual
   verification of the claim of identity.

 0x13: Positive certification of a User ID and Public-Key packet.
   The issuer of this certification has done substantial
   verification of the claim of identity.

   Most OpenPGP implementations make their "key signatures" as 0x10
   certifications.  Some implementations can issue 0x11-0x13
   certifications, but few differentiate between the types.

What is the difference between a personal certification and a casual certification? What would "substantial verification" be? Personally, one of the things that I dislike about the PGP culture is how surly it is to nyms and personae, to begin with, and is one of the reasons I don't like key signing parties.

jimscarver commented 9 years ago

FreeTrust.org begins with dimensions of identity, presence, security and privacy for which we would have assertions and proofs. Trust is subjective and personal trust,of signer weights trust in assertion.

I love the Vectors of Trust standard! but we must support them all since anyone might trust something different and nobody knows what the standard will be tomorrow.

It is wonderful to find a group so far along in this area. :-)