Web of trust

Do you really want to trust yasser_arafat44@example.com?

Web of trust is a term used in cryptography to describe decentralized security models in which participants authenticate the identities of other users. An example of this can be found in PGP,^[1] and the now discontinued Thawte email certificates. A web of trust is a essentially a bunch of people vouching for the identities of their fellow users, which is a foundational feature of social networking websites such as Facebook and LinkedIn.^[2]

Applications in cryptography[edit]

PGP by default has no central authority for verifying identities. Keys are uploaded without validation to key servers which are then used by other users seeking to find the key of any given user. This lack of validation at the key servers means that anyone could create a key for the professional dullard Bill O'Reilly. Although the Thawte system did have a centralized registration system, there was still by default no validation of the user's identity beyond terms and conditions requiring users to provide accurate details. Validation in Thawte came either by paying Thawte to validate one's identity (on provision of suitable documentation) or through endorsements from fellow-users.^[3]

In these systems users can increase their level of trust by having their keys signed by other users. In some systems (such as Thawte) there is a scoring system applied based on the number of signatures and who they're coming from, but in the case of PGP it's up to the user to examine the signatures and make a personal decision as to how much trust they confer upon the key in question. In PGP there is no central authority. In the Thawte system ultimate authority rested with Thawte, with this authority trickling down as authenticated users pass on their endorsements to others. Users had varying levels of points they could award to any given user, and the level available to them depended on how well they themselves had been validated as who they claimed to be.

With both PGP and Thawte there is no technical reason why a random user couldn't register under the assumed identity of Bill O'Reilly, but such an identity should be untrusted if not suitably endorsed. The genuine Bill O'Reilly could be expected to carry endorsements from pretty well-known right-wing idealogues and fellow chicken hawks. Someone claiming to be O'Reilly while lacking such endorsements should garner little trust. In the absence of sufficient endorsements, a user would ideally conduct sufficient research in order to make an informed decision. The effectiveness of the web of trust model rests on the diligence of its users, and as a team effort relies on trusted people to not be stupid. It's fine to hang-out and have sex with stupid (but attractive) people. Just don't let them in to your web of trust.

Web of trust in social networking[edit]

Social networking sites generally do not authenticate identities any more than RationalWiki could assure readers that the author is a Nobel Prize winner.^[4] Having terms and conditions requiring that information provided be accurate still doesn't prevent a multitude of Adolf Hitlers from springing up all over the place. The web of trust in social networking sites is primarily based on adding people to lists of friends. In the case of Facebook adding someone as a friend typically grants them greater access to information of that user and their network of friends. A user could personally validate the identity of the person in question by asking politely "who the hell are you", or by looking at their list of friends to see if they already have friends in common. As is the case with cryptography, this system breaks down if one is unfortunate to have the kinds of friends whose sole criterion for accepting a friend request is to be asked. These people are the same reason why you've been receiving a steady stream of emails from the relatives of deceased African dictators and have to put away the good plates when they come to dinner.

References[edit]