[Previous] [Next] [Index]
[Thread]
Re: Netscape Changes RSA tree
-----------------------------------------------------------
|Re web of trust versus hierarchy models:
|
|The big difference I see is that the web of trust at least as implemented
|in PGP is "non transitive". That means that there is no mechanism to
|follow a chain of trust from one signer to another. If A signs B's key,
|and B signs C's, then just because I trust A as a signer that gives me no
|basis to conclude that C's key is valid, and in fact PGP has no support
|for this kind of reasoning.
|
[clip]
|
|The problem with the web of trust used by PGP is you need to know and
|trust one of the signers of a key you want to use (unless you are going
|to try to validate the key yourself independent of any signatures). This
|works OK within localized groups where in fact most discussion occurs, but
|will not work so well when you are talking to strangers.
|
|Hal Finney
|hfinney@shell.portal.com
|
A fundamental assumption of the RSA trust model is that you trust the
strangers in the trust heirarchy. A fundamental assumption of PGP is
essentially the same but you have the option of choosing lesser degrees of
trust the more removed someone is from your circle of friends.
As it has been alluded to earlier on this list; a heirarchical trust-web can
be constructed from any multi-way trust-web. If, as one person indicated
earlier, that RSA heirarchies form "trust-links" then there results a
mulit-way trust-web. Under these conditions, I cannot see that there is any
difference in trust models between RSA and PGP.
Any such differences are esoteric. The user interfaces of each may lend
themselves to one or another trust model, but subsequent SW revisions can
easily fix such inconveniences. The trust issues between the two, however,
appear to me to be mute.
Regards,
Ned Smith
nedbob@sequent.com