Re: Why did the PGP Web of Trust fail?

> On 21 Jun 2018, at 05:42, Liam R. E. Quin <liam@w3.org> wrote:
> 
> On Wed, 2018-06-20 at 21:40 +0200, Henry Story wrote:
>>> On 20 Jun 2018, at 21:30, Liam R. E. Quin <liam@w3.org> wrote:
>>> 
>> yes, that's kind of the point of the reasoning in the post. 
>> It looks like you you stopped at the first part, 
> 
> no, i read the whole article, don't worry :)

It could be that there were too many links in the document so that
"institutional web of trust" got lost among the links. As it is an important
part of the reason why I wrote the post that started this thread
I have now added a full picture of it in section 4 on Limitations of PGP Wot.

> 
> 
>> That is the point at which I consider the Verifiable Claims work as
>> say
>> an improved PGP. But then one gets to the point of the skills
>> required to
>> verify a claim, which is what leads to the instutitonal trust.
>> 
>> The institutional Web of Trust is developed in the last part of this
>> longer
>> post "From Digital Sovereignty to the Web of Nations"
>> https://medium.com/cybersoton/from-digital-sovereignty-to-the-web-of-
>> nations-61fbc28d79cd
> 
> (typo on that page, the "will" is missing from teh categorical
> imperative!)

Mhh. Seems to be there :-)

> 
> There a danger in the rhetoric here of sounding as if the word
> Sovereign is more important than the reality described - see the film
> "Zeitgeist" for lots of really bad examples of this rhetorical
> phenomenon, where e.g. a large proportion of the film depends on the
> idea that Son and Sun sound the same... in Hebrew and Greek (they
> don't). I think that in a digital context by sovereign you really mean,
> in control of, rather than, say, owning by divine or heredtory right.
> Perhaps my view differs because i live in a country whose head of state
> is a sovereign, the Queen :)

Mine too. But in the article I actually refer to the French book "Souveraineté Numérique"
(with a picture of it) which translated is "Digital Sovereignty". I then developed
an article in that book by a French constitutional  scholar who writes for 
Le Monde, and who uses the term Sovereign, even though
France is a republic and has quite famously no King or Queen. (That made
a pretty big historical impact in Europe a few centuries ago :-)

Btw, for those who followed Brexit, that author also wrote a book on the limits
of European integration presented by the French, German and Italian constitutions,
meaning that the whole fear in the UK of loosing its sovereignty was completely
unfounded.

> 
>> You'll see there in the comments by Philip Sheldrake who asked how
>> that ties
>> into the Verifiable Claims. When you look at my answer there you
>> should
>> see how the whole thing fits together :-)
> 
> i think i do see what you are saying. It's a very diferent take than
> i've heard from the VC WG so far, which is interesting. Or maybe i
> haven't paid enough attention :)

I have not paid attention to discussions there either, but will try to more.
It is just an obvious necessity when you think about it. Here's my thinking:

If you are going to have Credentials of one form or another in a global
information space like the internet, these credentials will usually be signed
by someone who is deemed able to verify the fact in the credential.
For driving this is done in the US by the DMV. 
The Institution needs a global identifier (could be a WebID?) to identify it,
and that identifier will be in the Credential - or verifiable claim. 
The question is then what is the equivalent  institution in another country? 
What is the DMV in Japan? This information has to be public, verifiable,
on the web, and machine readable so that browsers can use that to
help people make decisions about the validity of a claim.

So there is a part of the Web of Trust that does not require cryptography.
It is a linked data and ontology problem that of course requires the underlying layers such
as https to be cryptographically sorted out. This allows us to build a web of 
trust without cryptography, which makes for a better separation of
concerns. That was my point in the first answer to Brian Ford's question

"PGP vs hyper-data Web of Trust"
https://medium.com/@bblfish/on-twitter-bryan-ford-asked-the-following-question-f4fbd2b311be

In short: this web of trust does not have the security problems of the PGP web
of trust because it abstracts away the web of trust, and it ties knowledge
into institutions, with the aim of getting that knowledge embedded into browsers
so that when you go to a web site you can know a lot more about the company
running it. :-)

> 
> Liam
> 
> -- 
> Liam Quin, W3C, http://www.w3.org/People/Quin/
> Staff contact for Verifiable Claims WG, SVG WG, XQuery WG, CSS WG
> Improving Web Advertising: https://www.w3.org/community/web-adv/
> Personal: awesome vintage art: http://www.fromoldbooks.org/

Received on Thursday, 21 June 2018 16:24:15 UTC