Actually, there's nothing "GNU" about the "Web-of-Trust" idea...it belongs to Phil Zimmerman and was the original way PGP was implemented and Phil took his ideas from the NSA/DCMS structure for symmetric keys.
See: Under the link below, the evolution of the "web of trust" concept can clearly be seen. PGP was first, GNU's GPG was subsequent: http://www.heureka.clara.net/sunrise/pgp.htm An interview on the WELL, with Phil: gopher://gopher.well.sf.ca.us/00/hacking/pgp.up PGP Prior Art (1997): http://bcn.boulder.co.us/~neal/pgpstat/ (1996): http://www.heureka.clara.net/sunrise/pgpweb.htm and http://www.rubin.ch/pgp/weboftrust.en.html Epinions version (non-crypto) (NOTE: also, used on Ebay): http://www.epinions.com/help/faq/show_~faq_wot W3C and World Wide Web Journal (1997): http://www.cs.caltech.edu/~adam/local/trust.html Thawte/Verisign (commercial) Program: http://www.thawte.com/certs/personal/wot/contents.html NSA Alternatives (applies to symmetric and special keys only: various distribution methods, including direct courier and over-the-air rekey, could currently be used to protect asymmetric key systems, though rather easily) (Navy variant-outdated) : http://www.fas.org/man/dod-101/navy/docs/swos/ops/72-23.html GNU took Phil's idea and rewrote it a little. Phil used a system that had been in place for over 35 years, originally used to protect the Allies' nuclear 'triggers,' and they used a system that had been in place since the time of the Romans. GNU and the Open Source community have given us many things. The idea of the "web of trust" isn't one of them, though. Michael J. Cannon Security Professional ----- Original Message ----- From: "Phil Kramer" <[EMAIL PROTECTED]> To: "Chris Wilkes" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, October 19, 2001 12:01 PM Subject: Re: Small office Firewall. > The "Web of Trust" model is based on people physically meeting and > exchanging keys. You depend on Alice and Bob and yourself to meet in > person. Alice verifies that Bob is Bob and that you are you. You all 3 > exchange keys. This is the ONLY secure way to do it. This is not a very > practical model when dealing outside your locale or area. In addition, what > do you do if say Bob's keys have been compromised/stolen from his machine. > Do you depend on a signed or unsigned email from Bob telling you what > happened and here are my new keys? Catch-22. > > I would not say that this is a better way, just a different way. > > Phil > > ----- Original Message ----- > From: "Chris Wilkes" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, October 18, 2001 12:05 PM > Subject: Re: Small office Firewall. > > > > Anyone use GNUPG? It uses a "web of trust" that fellow humans certify you > > are who you are. IE if Alice says that Bob is who is is and you trust > > Alice then you trust that the mail signed by Bob is really from Bob. > > > > This approach is radically different from the PGP way pushed by Network > > Associates where there is a root authority stamping everyone's > > certificate. This is almost a perfect example of how the GNU way is > > better: the potential collapse of the root person might cause the downfall > > of the system. See also where Verisign signed a fake certificate for > > someone they thought worked for Microsoft. > > > > http://www.gnupg.org > > > > Chris > > > > > >
