reliable web of trust using google's pagerank - PGP

This is a discussion on reliable web of trust using google's pagerank - PGP ; Hi, I don't know if this had already been mentioned here (or is even relevant), but has anyone considered the web of trust in pgp using a scheme like google's pagerank algorithm? In essence, each public key would be trusted ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: reliable web of trust using google's pagerank

  1. reliable web of trust using google's pagerank

    Hi,

    I don't know if this had already been mentioned here (or is even
    relevant), but has anyone considered the web of trust in pgp using a
    scheme like google's pagerank algorithm? In essence, each public key
    would be trusted as much as it's referral rank. Is there any
    documentation or articles on pgp web of trust, or any such ranking
    scheme?

    Thanks,
    Bahadir


  2. Re: reliable web of trust using google's pagerank

    Bilgehan.Balban@gmail.com wrote:
    > Hi,
    >
    > I don't know if this had already been mentioned here (or is even
    > relevant), but has anyone considered the web of trust in pgp using a
    > scheme like google's pagerank algorithm? In essence, each public key
    > would be trusted as much as it's referral rank. Is there any
    > documentation or articles on pgp web of trust, or any such ranking
    > scheme?


    First of all, we must distinguish between "validity" and "trust". A key
    is valid if you know that the asserted owner is indeed the actual owner.
    A key is trusted if you believe the owner is careful when signing
    other keys.

    The mere presence of a signature on a key does not mean it is trusted
    (that the owner is careful). The signature merely indicates validity.
    Trust is indicated in a key by the trust flag in a signature (see RFC
    2440, section 5.2.3.12). The trust flag can only be set either if you
    directly sign (validate) the key or else if you sign a key which has in
    turn signed the key you trust.

    The only way to know if the owner of a key is indeed careful -- if the
    key is a trusted key -- is to know the person and how he or she
    operates. No number of other signatures on George's key can indicate
    the degree that George exercises trustworthy care. Further, a large
    number of other keys signed by George might indicate that he is careless
    when signing other keys.

    If you trust Mary and have both signed and trusted Mary's key and then
    Mary signs George's key, then George's key will appear valid to you.
    You still have to establish whether you trust George and set the trust
    indicator yourself. Even if Mary trusts George, that does not propagate
    to you when you add George's key to your keyring.

    There is also the issue of complete versus partial trust. In the
    paragraph above, I assumed that Mary is completely trusted. If there
    were some question about how careful she is, you might mark Mary as
    partially trusted. In that case, it would take not only Mary's
    signature on George's key to validate the latter; it would also take the
    signature from another partially trusted key.

    From "An Introduction to Cryptography",
    > You validate certificates [keys]. You trust people. More specifically,
    > you trust people to validate other people’ certificates.

    Thus, validation might be considered a data issue while trust is a
    people issue, which I don't think can be automated.

    See



    --

    David E. Ross


    I use SeaMonkey as my Web browser because I want
    a browser that complies with Web standards. See
    .

  3. Re: reliable web of trust using google's pagerank

    Bilgehan.Balban@gmail.com wrote:
    > Hi,
    >
    > I don't know if this had already been mentioned here (or is even
    > relevant), but has anyone considered the web of trust in pgp using a
    > scheme like google's pagerank algorithm? In essence, each public key
    > would be trusted as much as it's referral rank. Is there any
    > documentation or articles on pgp web of trust, or any such ranking
    > scheme?
    >
    > Thanks,
    > Bahadir
    >


    validity does not equal trustworthiness.



    shg

+ Reply to Thread