Weaving a PGP Web of trust..proposal? comments? (fwd)

Tue, 18 Aug 1998 14:50:01 +0100

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <11413.903448201.1@ftel.co.uk>

Minor problem with the local mail/news gateway.

------- =_aaaaaaaaaa0
Content-Type: message/rfc822
Content-ID: <11413.903448201.2@ftel.co.uk>
Content-Description: forwarded message

X-Lines: 49
Return-Path: admin-list-request@ftel.co.uk
Received: from kevin.ftel.co.uk (vKOt0V9NmZTGCC+v81NXfyux5q5GQciQ@kevin.ftel.co.uk [192.168.65.1])
	by violet.ftel.co.uk (8.8.7/8.8.7/Revision:1.32) with ESMTP id OAA17380;
	Tue, 18 Aug 1998 14:48:40 +0100 (BST)
Received: from ftel.ftel.co.uk (uucp@ftel.ftel.co.uk [192.65.220.23])
	by kevin.ftel.co.uk (8.8.7/8.8.7/auspex.mc@Thu21Aug1997-14:03PM) with ESMTP id OAA24256
	for <admin-list-outbound@kevin.ftel.co.uk>; Tue, 18 Aug 1998 14:48:37 +0100 (BST)
Received: (from news@localhost)
	by ftel.ftel.co.uk (8.8.7/8.8.7/Revision:1.36) id OAA04957;
	Tue, 18 Aug 1998 14:48:30 +0100 (BST)
To: admin-list@ftel.co.uk
Path: I.G.Batten
From: Ian G Batten <I.G.Batten@batten.eu.org>
Newsgroups: mail.ukcrypto
Subject: Re: Weaving a PGP Web of trust..proposal? comments? (fwd)
Date: 18 Aug 1998 13:48:27 GMT
Organization: Ian G Batten speaking for himself
Lines: 49
Message-ID: <6rc0nb$4qr$1@ftel.ftel.co.uk>
References: <coYGyBAEa811EwF3@swarb.demon.co.uk> <35D7E46A.B8249159@cs.ucl.ac.uk>
NNTP-Posting-Host: archive-1.ftel.co.uk
Originator: I.G.Batten@ftel.co.uk

-----BEGIN PGP SIGNED MESSAGE-----

In article <35D7E46A.B8249159@cs.ucl.ac.uk>,
Ian Brown  <ukcrypto@maillist.ox.ac.uk> wrote:
> If I wanted to communicate securely with someone from this list who I'd
> never met, I wouldn't care what their "name" was: I would want to talk to
> the person who sent the messages that I am contacting them about. Once more
> people sign their posts, I would simply use the key that had been used to
> sign the posts of interest, regardless of the name on it.

That's true.  If it turned out that I was in fact a fiction created by
the bloke sat at the next desk, you'd want to send you mail to
Neil-acting-as-Ian, not Neil-acting-as-Neil, and provided the reply you
got was sensible, you'd be quite happy.

However, the deep underlying assumption here is that `entities' (which
you rightly say may not be bound to individuals, but are bound to keys)
are unique.  The only reason my private key is tacitly assumed to be
private and therefore uniquely identify a monolithic entity is because
it's assumed to be bound to an individual, me, who has extrinsic reasons
to want to keep it to myself.  If I were a fiction, that assumption
breaks down, and I might quite happily hand it out to a lot of people.
If you didn't know that had happened, you could get into quite some
entertainment.

We've gone through this here, discussing signing documents like business
plans and access requests as they pass through the business.  Sometimes
you want personal signatures (this is Ian Batten).  Sometimes you want
job function signatures (this is the Technical Manager in IS).
Sometimes you want fine-grained role signatures (this is the person who
approves the punching of single-port TCP holes in the firewall).  And so
on.  There's much more to the piece than just binding signatures to
individuals in a one-to-one fashion.

With manual systems, the slippery nature of `individuals' and
`identities' is something we just ignore.

ian
-- 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQB1AwUBNdl4E8oy0yij3IvtAQEY1gL9HzX/XtzQGNn4//yCR7LqKPMnd31mnJ/P
NLdNDcYSrat+gOQTS+RbLcJdC2OtfBwgHsLFupUFMo0tf2A6Pjjv9V2jwWvy0AZ0
6f3FVpSUqPHB2PLS1yV3mdBLbfpnrXDa
=LGyC
-----END PGP SIGNATURE-----

------- =_aaaaaaaaaa0--