Conversation:
Notices
-
oh Shit... the GPG web of trust is dead https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
-
@boneidol The signature-flooding attack on the SKS #keyservers (and DoS of their users) is bad but doesn't actually sound like any kind of #apocalypse, and has basically nothing to do with the #WoT; signature-chains maybe, but that's something else entirely. !crypto
-
@rozzin Maybe I am misunderstanding, but the poisoning prevents people from updating keys to check trust paths. The proposed replacement service https://keys.openpgp.org/ does not link ID ( email address) to the public key, unless asked to. And more importantly from a WoT is does not have any third party signatures. So can't be used to follow a trust path
-
@rozzin https://keys.openpgp.org/about/faq https://indy.im/attachment/138122
-
Contrary to popular belief, "trust paths" are not actually a thing in #PGP.
-
@rozzin help me out!
what am I doing then when I get a new key from someone I've not communicated with, and check the signatures to see if there are any people in common ?
What are the people at Tails doing here ? https://tails.boum.org/install/linux/usb-download/index.en.html#install-inc-steps-download.inline.web-of-trust https://indy.im/attachment/138158
It looks to me like building a human connection through the WoT
-
There is a chance I've misunderstood what you mean when you say "trust paths" if by "path" you didn't mean "linked lists that may be >1 indirection long". If so, sorry!☺
-
That #PGP's #WoT metrics (supposedly) propagate through signature-chains is somehow basically an extremely popular #myth; "talks about WoT being all about arbitrarily-long multi-hop chains of trust" and "conflates #trust and #identity #certification" have been "understands-pgp-p" litmus tests for me since I realized how confused *I was myself* years ago, and they've never failed before.
-
It may also matter that when I say "#PGP", I really mean "#GnuPG" because AFAICT GPG is the PGP that everyone actually uses these days. There are "trust signatures" in #OpenPGP, and GPG can make and use them..., but they're a whole different thing from "trust", "signatures", and #WoT. And I don't think I've ever actually seen one in the wild. Some other PGP implementation might use tsigs by default? But I doubt it?
-
That #Tails "use the WoT" download #verification guide is telling you to do 2 distinct things:
1) use #PGP WoT metrics to identify someone who is a Tails developer (but not AFAICT to identify that person *as* a Tails developer);
2) make a WoT-less leap from "this is Bob" to "Bob is verified as a Tails developer AND his signatures mean something".
In that "→A→B→C" chain of mixed ops, #WoT only takes you to B.
-
So, "what am I doing when I get a new key from someone and check the signatures to see if there are any people in common" depends heavily on what you mean by "check the signatures" and "people in common". If you mean "trace through signature-chains with no #trust #metrics to find *reachable* signatures", then no you're not using #WoT verification, you're making your own inferences based on something else.
-
Also it seems kind of inappropriate to be using "poisoning" as its being used here: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f !crypto
-
ALSO, I'm reminded that there was this other #HKP #keyserver released a few years ago, compatible w/ #SKS but written in #Golang, which might relieve some of "zomg unmaintainable!" problems with the SKS servers: https://hockeypuck.github.io/ !crypto #PGP #GnuPG
kat
Joshua Judson Rosen
All New Hampshire Crossing content and data are available under the 
