[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [monkeysphere] [Fwd: Why the Web of Trust Sucks]

Thanks for the reply, dkg! 

I think you sent this before finishing a few paragraphs -- I've marked
them below. 

On Mon, 2013-09-30 at 19:20 -0400, Daniel Kahn Gillmor wrote:
> > 2. Every time I verify a signature from a key sent to an email address
> > that is not mine (like a mailinglist), my mail client adds a tiny amount
> > of trust to that key (since each new public email+signature downloaded
> > represents an observation of the key via a potentially distinct network
> > path that should also be observed by multiple people, including the
> > sender).
> i don't think "trust" ...
> I think this would be a really useful project to work on, though the
> nuances are subtle and not everyone would make the same tradeoffs.  I
> think it would be

> > 3. Every time I am about to encrypt mail to a key, check the key servers
> > for that email address, download the key, and make sure it is still the
> > same (SSH/TOFU-style).
> This is sort of the opposite of TOFU -- ...
> Also, note that real-time key refreshes upon every use leak a not
> insignificant amount of activity metadata to the keyservers and to
> anyone capable of monitoring the network path between the OpenPGP client
> and the keyservers.  This might not be

^^ and here
Sent from Ubuntu

Attachment: signature.asc
Description: This is a digitally signed message part

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to