← Back to context

Comment by michaelt

18 hours ago

PGP’s web of trust was kinda bad privacy-wise in some regards, as it basically revealed your IRL social network.

If my PGP public key has 6 signatures and they’re all members of the East Manitoba Arch Linux User Group, you can probably work out pretty easily which Michael T I am.

Are there successful newer designs, which avoid this problem?

3 comments

michaelt

Reply
pjc50  18 hours ago

The IRL social network is actually the important part of the trust structure.

The only one of these I've seen that really worked was the Debian developer version: you had to meet another Debian developer IRL, prove your identity, and only then could you get the key signed and join the club.

  • michaelt  16 hours ago

    > The IRL social network is actually the important part of the trust structure.

    For Debian-style applications that are 100% about openness and 0% about secrecy, sure.

    But if you want to secure communications between pro-democracy activists in China, or you're a Snowden-like whistleblower wanting to securely communicate with journalists - y'all probably don't want to be vouching for one another's keys.