Monday, 30 October 2017
Is there a role for social media to solve the "web of trust" issue?
The issue is that of "identity". There is no real way to know that someone's public key is theirs. Yes, the key is accompanied with additional information such as name, and email address, and that is signed by the private key so we know it all goes together. However we don't know it is not all simply made up by someone else.
This is solved in many ways - I have a PGP key fingerprint on my business cards. This means that after a face to face meeting, someone can check the person they actually met matches a public key they find on the internet. They still do not know for sure that the person they met is Adrian Kennard, but they know they are communicating with the person they met (assuming I am not giving someone else's key out for some obscure reason).
The other way is a "web of trust" - when you meet someone, and by some means you confirm their identifying information in their public key matches up to them (check passport, driving licence, etc), then you counter sign their key. This is what happens at key signing parties (honest, that is all, it is not some euphemism).
The idea is that with people signing other people's keys you can create a chain of signatures from someone you know personally to the key you want to check. And indeed, by having multiple paths, and a score of "trust" in each signature, you can create a threshold for trusting the "web".
This ultimately allows you to trust people you do not know without the need for a trusted central authority model. Obviously, if trusted central authorities, like banks, and companies house, actually participated, that would help massively.
So how could we improve the web of trust?
Well, I wonder if this is actually a role the likes of Facebook could take on. This already creates a web of contacts, and most of my "friends" I know personally and can be sure the Facebook persona is the person I know. They would need to prompt people to confirm how well they know their friends, not when they follow but maybe a few months later. But ultimately that could mean allowing a signature chain to be created to join up digital keys...
I have not worked out the details - as one issue is that not everyone has keys, and I have not told Facebook my public key, but done right it could mean people that do put public keys on Facebook could get a load of addition signatures based on a web of social media trust.
I have also not tried to work out how the whole thing could be heavily trolled.