Talk:Web of trust

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Cryptography / Computer science  (Rated C-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the quality scale.
 High  This article has been rated as High-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as High-importance).

Privacy Issues?[edit]

Are there any privacy issues when publishing a public key with several signatures on a key server? Without knowing much about it I would guess that anybody could find out with whom this person have contact by downloading her key and checking the signatures. —Preceding unsigned comment added by (talk) 17:27, 15 January 2009 (UTC)

From this page:
"If you sign the public key of XY, this means: I confirm, that the key I signed realy belongs to person XY..
Such a signature does not state anything about the integrity of a person or your personal relationship to that person."
Though, I would assume, people would be more likely to sign the keys of people they know in person rather than strangers'. I'm guessing key signing parties help prevent this, by spreading the web of trust to as many strangers as possible, hiding which people are your personal friends among them. Is there any expert here who can confirm this? —Preceding unsigned comment added by (talk) 23:55, 12 June 2009 (UTC)

reason for contrasting discussion[edit]

The discussion in this article on non Web of Trust schemes is included to contrast with Web of Trust. Many readers will not see, merely from an account of one, its vices/virtues with respect to the other. In this sense it is neither extraneous nor off-topic for this article. ww 18:01, 8 May 2004 (UTC)

It is certainly valuable info. I forsee a time in which it is augmented and put in an article of its own, and this article can focus on the comparisons rather than the meat. Thanks for your other edits. NealMcB 21:05, 2004 May 8 (UTC)
You're welcome. There are several other articles on PKI, X.509, certificates, and such. This being the only one on Web of Trust, the reasons for preferring it (being in contrast to the main alternative) needed to be made evident to the reader. Whether one agrees with them (or should or shouldn't) or not. ww 15:05, 10 May 2004 (UTC)

'collapse of comm PKIs' phrase[edit]

Many commercial PKIs are no longer functional as the companies which controlled them have collapsed

I don't think of a PKI as being a distinct thing formed by each root cert, but as a broader thing based on a particular technology and set of interlocking certs, servers, etc. And the heirarchies are unfortuately still functional in the sense that people trust the certs in them - that is the danger. NealMcB 21:05, 2004 May 8 (UTC)

Nealmcb, This was mine. I was attempting to convey in a word (and seem to have failed to do so) that the reason for said (now failed) PKIs to exist -- providing trust for users in the validity of public keys in certificates for which they vouch -- has become non functional. The sense in which you took it wasn't intended. Can you suggest an alternative wording which doesn't miscarry but achieves the intent? ww 15:05, 10 May 2004 (UTC)
I knew that was what you meant, but I think the other point is more important, and this consequence is obvious once the other is pointed out. NealMcB 20:53, 2004 May 10 (UTC)
Neal, I have looked at your rev and don't think Our Reader (the not so crypto guy) will see it as obvious as you suggest. I've added some explicit phrasing. See what you think. ww 16:23, 11 May 2004 (UTC)
Thanks for pluggin' away. Some improvement, but also some regression, I think. In particular, calling a rooted hierarchy of certs a "PKI" goes against all the usage I see, since the infrastructure includes so many other things.
Neal, What we do with a cert is our choice, but the PKI exists to attest to the binding (and fix various goofs, as in a CRL) so that what we do can have some credibility to various observers including ourselves. All else is 'syntactic sugar', sort of. At least in conceptual terms. Surely, there's much else, but is it needed here? Can't see how to be correct without also being a red herring in some sense. At least an 'unnecessary' detour, by some definition of necessary. Ideas? ww 14:40, 12 May 2004 (UTC)
I also think we need to avoid suggesting that a pgp cert binds a key to a user. It just binds a key to a description of the key, usually an email addr, or many of them. They may indicate different roles of one user, or many users may hold shared responsibility for a key (e.g. via secret sharing), etc. Ellison's SPKI literature elaborates on this notion, which affects X.509 even worse. I'll try to add some more comments when I get a chance. NealMcB 18:26, 2004 May 11 (UTC)
Neal, I was trying so hard to avoid getting into what a 'user' was. Sigh... You are clearly correct that the binding is not to an entity (person, virtual person, dog, goldfish, ...) but to a description of some such. But if we fall into this, many will be the troubles we'll be heir to. On the one hand brevity and lucidity (if fog and some inaccuracy), on the other precision and prolix obscurity. You takes your choice of poisons. Perhaps a reference to an article discussing the meaning of identity in electronic terms (including cert binding and attestations thereto)? Your turn to gyre and gimble in the wabe of the briar patch. (yonder be Harris and Dodgson, spinning). ww 14:40, 12 May 2004 (UTC)

'PGP WofT chugs on' phrase[edit]

The PGP web of trust, in contrast, has continued regardless

Having modified the antecedent as noted above, I took this out. Also because certainly many PGP keys are also no longer well managed and at risk. But we could say lots about the robustness benefits of a multiply-connected PKI vs a single heirarchy. NealMcB 21:05, 2004 May 8 (UTC)

N, The intent was to note that (whether or not you like it) PGP's WofT, warts and all, was unaffected by the commercial upheaval. Still a point worth making for the reader, I think. ww 15:05, 10 May 2004 (UTC)
I love the PGP WoT. But it is also used by commercial entities some of which have surely gone out of business or stopped maintaining their certs. That's why I think a discussion of architectural issues is the way to go. NealMcB 20:53, 2004 May 10 (UTC)
Neal, Well.... I'm not sure I love it, I just think it doesn't centralize something that's not best done centrally. If you don't know how to design a system/scheme/protocol that's bullet proof, let folks do it themselves. If they then shoot themselves in the foot, it's sad, but the best available. But anyway, the point that the WofT has continued despite the burst bubble is, I think still worth making. That many PGP keys (including one of Schneier's -- see Practical Crypto) are no longer valid is not really apposite here, I think. True though, and probably should be pointed out. I've made a change which tries to do so. Comment? ww 16:23, 11 May 2004 (UTC)

Major real-world application[edit]

Debian! All Debian packages are signed - if you check the keyanalyze results, many of the top 50 are Debian maintainers - including our very own Sam Hocevar! So, it does have it's applications. Alphax τεχ 11:17, 21 March 2006 (UTC)


Hello. I am not a cryptographer or a member of this Wikiproject, only a user. I added a "refimprovesect" or "noreferences" tag to this article because I could not see any references in the article. If my taking that action was an error, apologies in advance. Thank you for this article (could not find one for "trusted network" except maybe one about a United States Army technology, but I really don't know the subject). If I goofed please let me know if you could. Best wishes. -Susanlesch 21:24, 10 November 2007 (UTC)


User:JzG is acting belligerently, but I want to air out his concerns for all to review. Essentially, Jason Harris' site is down often, sometimes for months at a time, so I have done the proper thing and removed the link. JzG says that the removal of this broken link constitutes original research, and promptly reverted my change. This is in spite of the fact that no original research was added to the article, only a broken link was removed. Further, it is absurd to use WP:OR as an excuse to revert the removal of any material. By that logic, I could add obscenities to the article and revert their removal under WP:OR, which is an absurd outcome. Any thoughts? --Namescases (talk) 23:00, 2 January 2008 (UTC)

  • This is the edit I reverted (my sole edit to this article, hardly qualifies as "acting belligerently" I'd say): [1]. I have no problem with removing the link, but a little homily on how there used to be this really great site is simply inappropriate. Guy (Help!) 17:58, 3 January 2008 (UTC)

How does this apply to an Internet Browser Add-on?[edit]

It seems this phrase "web of trust" applies in some way to internet browser add-ons, which is how I came here. I assume the browser add-on allows a group of people to trust a web-site (or not). Nor sure. Someone on a Tech Forum said that having a "Web of Trust" add-on to your browser allows you to know whether or not an unknown web-site is dangerous or not. It would be useful if this article included some explanation of this. I'm still not sure what it is exactly, or how the encryption "web of trust" relates to the browser. (talk) 02:50, 10 December 2010 (UTC)Jimmy Rapid

Intelligence not allowed[edit]

The article states that "Intelligence is normally neither required nor allowed" in a CA-based PKI. Obviously one can choose which CAs to trust: for example, don't trust a Chinese CA on sites that serve the U.S. market. --Damian Yerrick (talk | stalk) 21:04, 6 August 2011 (UTC)