[SGVLUG] CAcert Web of Trust?

Wed Mar 29 15:59:04 PST 2006

On Wed, Mar 29, 2006 at 02:21:24PM -0800, John E. Kreznar wrote:

> The power of strong cryptography is that it enables each individual,
> acting alone, to effectively defend herself against the body politic.
> Reliance on identity documents sanctioned by that very body politic
> is at odds with this ideal.
> 
> The owner of an encryption key earns trust by digitally signing
> consistently trustworthy messages, not by registering with a
> certification authority such as CAcert.org.  Linking trust to
> government ID dilutes and sullies earned trust.  As well, it requires
> the ID holder to enter into contract with government.

Let me guess--you're a huge fan of The Prisoner. :-)

I'm going to disagree here, though this would be better discussed after
the PGP presentation (maybe at BC).  The problem is the use of "trust"
in technical ways not really congruent with the normal meaning.
Understand why you can be a subversive and still use government ID and
you understand the web of trust.

To exchange encrypted messages with someone, I need an acceptable level
of confidence that:

    1. They are who I think they are--I am communicating with the right
    person.  In other words, identity.

    2. I understand the trustworthiness of that person's communications.

#2 is the usual meaning of "trust," and I agree there are reasons not to
want the government to interfere with that assessment.  However, that is
not what is done with GPG.  GPG is *only* concerned with the exceedingly
narrow area #1, and ones "trust" in the GPG sense has nothing directly
to do with #2; only how careful they will be to only sign keys that are
who in fact they say they are.  A person could be entirely untrustworthy
in general but be meticulous about identity verification.  GPG is only
concerned with the latter, the former is totally up to you.

Now, the use of government ID: it turns out that in general most
governments, and in our case the US state and federal governments,
qualify as trustworthy in that narrow sense.  Why?  Because it has a
vested interest in identifying and tracking people.  Even if it happens
to be doing this for reasons you abhor, meaning you have no confidence
in the government in the larger sense #2, you generally can trust it in
sense #1.

In fact, I suspect the two senses have some negative correlation, at
least in intent.  Consider which governments are *most* concerned about
identity: it turns out to be the ones you least want to trust.  The only
variable there is corruption; the governments I least want to trust tend
to be more corrupt, which means I'm probably more likely to see a forged
ID.  But then, I might see some teenager's forged drinking ID anyway.

The point is, if you're a pinko commie peacenik perhaps the US Gubmint
has little trust in you in sense #2, and maybe I prefer to make up my
own mind.  But it sure wants to make sure it knows who you are and what
else you've been up to, yessiree.  They want to be sure they are correct
in sense #1 precisely because they don't trust you in sense #2.  There
is *no* reason I can't use their work in this area even if I disagree
with them on *why* we want to identify you (them to watch your shameful
un-American activities, me, say, so I can join your revolutionary cell
and over throw the hated oppressor).

The extreme example would be trusting someone (sense #2) precisely
because the big bad government doesn't trust you or me and we don't
trust it (sense #2) and using your concentration camp tattoo to verify
your identity.

Dustin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.sgvlug.net/pipermail/sgvlug/attachments/20060329/7311f1bb/attachment.bin