[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PGP web of trust


At 09:38 AM 12/3/97 -0200, Ed Gerck wrote:
>Subject: Re: I-D ACTION:draft-ietf-spki-cert-theory-00.txt
>PGP does not prohibit pseudonyms to be used, which amounts to a binding
>only between name (here, an e-mail) and a key. Further, PGP does not
>depend on such binding for security, but on the web-of-trust, which is a
>binding of quite a different sort (between a person and respective

PGP's web of trust is frequently misunderstood.  I wish the PGP folks (some 
of whom are on this list) would correct that.

- From my POV, everybody's trust model radiates out from the verifier.  As I 
say frequently, there are only certificate loops -- with authority passing 
from the verifier through certificates back to the verifier.  In traditional 
X.509, SDSI and raw SPKI, these certificates pass full authority and one 
needs only one loop.  In PGP, the authority is fuzzy, with partial authority 
passing, depending on the length of the certificate path as well as the 
width.  The closest SPKI comes to that is with threshold subjects, which 
allow width of paths but make no allowance for length.

 - Carl

Version: PGP for Personal Privacy 5.5.3


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |

Follow-Ups: References: