[tor-talk] [monkeysphere] [Fwd: Why the Web of Trust Sucks]
tedks at riseup.net
Tue Oct 1 01:17:08 UTC 2013
Thanks for the reply, dkg!
I think you sent this before finishing a few paragraphs -- I've marked
On Mon, 2013-09-30 at 19:20 -0400, Daniel Kahn Gillmor wrote:
> > 2. Every time I verify a signature from a key sent to an email address
> > that is not mine (like a mailinglist), my mail client adds a tiny amount
> > of trust to that key (since each new public email+signature downloaded
> > represents an observation of the key via a potentially distinct network
> > path that should also be observed by multiple people, including the
> > sender).
> i don't think "trust" ...
> I think this would be a really useful project to work on, though the
> nuances are subtle and not everyone would make the same tradeoffs. I
> think it would be
> > 3. Every time I am about to encrypt mail to a key, check the key servers
> > for that email address, download the key, and make sure it is still the
> > same (SSH/TOFU-style).
> This is sort of the opposite of TOFU -- ...
> Also, note that real-time key refreshes upon every use leak a not
> insignificant amount of activity metadata to the keyservers and to
> anyone capable of monitoring the network path between the OpenPGP client
> and the keyservers. This might not be
^^ and here
Sent from Ubuntu
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: This is a digitally signed message part
More information about the tor-talk