introducer trust model, Was: Eat this RIAA (or, the war has begun?)

• Previous message (by thread): introducer trust model, Was: Eat this RIAA (or, the war has begun?)
• Next message (by thread): Eat this RIAA (or, the war has begun?) - Why not all ISPs?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The point of web-of-trust models is not to identify anyone reliably, but 
to make obtaining false identities harder.  I.e. every signatory risk 
their reputation by signing someone else's certificate, and it is easy to
mark that signatory as untruthworthy, thus effectively invalidating or
reducing truthworthiness of all parties having that signatory in the
trust chain.

This can be defeated by creating chains of sham identities; but somewhat 
more advanced graph analysis (i.e. identifying "gateway" links to the 
subraph where cluster of untruthworthy behaviour is detected) can deal 
with that too.  Such analysis can be performed proactively, on a 
distributed collection of host computers checking links at random).

However, web of trust per se is not sufficient; what Internet needs is 
some way to assemble irrevokable "reputation" files for assumed and real
identities.  The problem of false reports on the files can be addressed by 
checking truthworthiness of report submitters before factoring their 
reports into final scores.

The practical irrevokability can be achieved using techniques similar to 
the Publius.  (Finding all individual reports for the identity is an 
interesting problem, though :)  Protection of the system from floods of
bogus reports is going to be interesting, too.

Obviously, a system like that could be very useful in business
transactions, too.

--vadim

On Thu, 22 Aug 2002, Steven M. Bellovin wrote:

> 
> In message <20020822142836.A92148 at mail.webmonster.de>, "Karsten W. Rohrbach" wr
> ites:
> >
> >
> 
> 
> >
> >i am not an expert in this field, but i think that a generic standard
> >for this kind of trust model is long overdue, the only application
> >nowadays out there in the wild using it being pgp's model of the web of
> >trust.=20
> >
> 
> I doubt that it would work well -- one "mole" would suffice for many 
> large penetrations.
> 
> 		--Steve Bellovin, http://www.research.att.com/~smb (me)
> 		http://www.wilyhacker.com ("Firewalls" book)
> 
> 

• Previous message (by thread): introducer trust model, Was: Eat this RIAA (or, the war has begun?)
• Next message (by thread): Eat this RIAA (or, the war has begun?) - Why not all ISPs?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]