[tor-talk] [monkeysphere] [Fwd: Why the Web of Trust Sucks]
Ted Smith
tedks at riseup.net
Tue Oct 1 01:17:08 UTC 2013
Thanks for the reply, dkg!
I think you sent this before finishing a few paragraphs -- I've marked
them below.
On Mon, 2013-09-30 at 19:20 -0400, Daniel Kahn Gillmor wrote:
> > 2. Every time I verify a signature from a key sent to an email address
> > that is not mine (like a mailinglist), my mail client adds a tiny amount
> > of trust to that key (since each new public email+signature downloaded
> > represents an observation of the key via a potentially distinct network
> > path that should also be observed by multiple people, including the
> > sender).
>
> i don't think "trust" ...
> I think this would be a really useful project to work on, though the
> nuances are subtle and not everyone would make the same tradeoffs. I
> think it would be
^^here
>
> > 3. Every time I am about to encrypt mail to a key, check the key servers
> > for that email address, download the key, and make sure it is still the
> > same (SSH/TOFU-style).
>
> This is sort of the opposite of TOFU -- ...
> Also, note that real-time key refreshes upon every use leak a not
> insignificant amount of activity metadata to the keyservers and to
> anyone capable of monitoring the network path between the OpenPGP client
> and the keyservers. This might not be
^^ and here
--
Sent from Ubuntu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130930/2c333a4a/attachment.sig>
More information about the tor-talk
mailing list