Re: Why did the PGP Web of Trust fail?

> On 21 Jun 2018, at 12:36, Bohdan Andriyiv <bohdan.andriyiv@validbook.org> wrote:
> 
> PGP WoT failed (in a sense of getting E2EE of emails to the masses), because it is too hard to use. People, want to do stuff and go places. Convenience trumps everything. Cost/Benefit equation for PGP is very unbalanced. For a lot of people PGP cost is not, – just not worth the benefit, but plainly insurmountable (learn about keys, certificates, key signing - come on!) .

User Interfaces can be improved or worked on. That of course requires working with artists, and 
from my experience the problem there is that there is not much meetings where both cryptographers
and artists get together.

But protocols and formats also limit what designers can do. So from my quick analysis of
RFC4880 there are only 256 attributes allowed, they are identified by numbers, and therefore
require centralised coordination to come to an agreement on.  And if an attribute number were to
be agreed, then you'd still be left with having to agree on the syntax of the content of that attribute.

RDF solves both those problems and has a binary format proposal too and allows decentralised 
extensibility without requiring english to be the main language: the words in RDF are URIs.
http://www.rdfhdt.org/hdt-binary-format/


> Bringing institutions into WoT, will not make it successful in a sense of getting E2EE of emails to the masses. After all, the goal of WoT to bring E2EE to the masses has been achieved via commercial interests - ProtonMail, all mainstreams IM apps (WhatsApp, Viber, Telegram). 

The Web of Trust I am claiming is missing from the current web is not a  cryptographic WoT. 
It is one based on hyper-data. So we could call it Hyper-Trust or World Wide Web of Trust.
This WWWoT is useful just to let us know simple factual things like if the web site claiming to be
of a watch maker in Switzerland is actually owned by a shop in Switzerland, and perhaps who owns
it, etc... Or if a bank in China is a bank that our country accepts as a bank, and will involve diplomatic
processes if we have a problem. Or if the Signed Claim using the future Verifiable Claims Json-LD 
standard which is signed by an organization in Peru, is actually the right kind of organization to hand
out such documents, and if our country and police will accept that document. (Think about Hertz employees
needing to make a decision on this) 

This WWWoT does not exist. But it would be extremely helpful in allowing all the other things to emerge.

> Bringing institutions into WoT, will make it successful in a sense that it will allow people to cooperate (exchange money and ownership rights) with more reliability. To do this it should not make the main PGP WoT mistake - being too complex.

It's binary format is limited in extensibility. But that's fine. They can move to the Verifiable Claims WG and
get it all.
https://www.w3.org/2017/vc/WG/

But even if they had that they would still need an WWWoT or the reasons explained above and in the post. :-)

> That's why when designing Validbook's Endorsement Graph I decided to make it undirected graph, only mutual relations counted (no ambiguity in who knows who); no levels of trust (you either trust identity's SURLHI claim or not). Validbook Statements are very simple, real-world-like digital documents. Here is an example of a contract - http://futurama1x.validbook.org/statements/templates/Wedding%20Photography%201-13 <http://futurama1x.validbook.org/statements/templates/Wedding%20Photography%201-13>. You will be able attach to it your digital passport issued by goverment and sign it together. In this way counterparty can be sure about your legal/goverment identity (be able to go to a judge in a proper jurisdiction and bring you to responsibility if needed). Most importantly, it is all (Validbook Statements, building your Validbook Identity's SURLHI Endorsement Graph) very human friendly. That's why Validbook slogan is - "Do important stuff with confidence".
> 
> --Bohdan
> 
> 
> On Thu, Jun 21, 2018 at 12:09 PM, Henry Story <henry.story@bblfish.net <mailto:henry.story@bblfish.net>> wrote:
> Thanks a lot! That is what I was looking for to help me write the article. 
> 
> I am reading the first with great interest. When done (if my main thesis still holds) I'll 
> try to integrate the concepts into a revised clearer version of the article. :-)
> 
>> On 21 Jun 2018, at 00:56, Christopher Allen <ChristopherA@lifewithalacrity.com <mailto:ChristopherA@lifewithalacrity.com>> wrote:
>> 
>> I encourage you to read what the creators of PGP wrote for the first #RebootingWebOfTrust 
>> 
>> https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/topics-and-advance-readings/PGP-Paradigm.pdf <https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/topics-and-advance-readings/PGP-Paradigm.pdf>
>> 
>> Lots of other useful documents in the various #RebootingWebOfTrust repos, both community created docs in /final and individual submissions at /topics-and-advance-readings
>> 
>> https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/topics-and-advance-readings/modern-pki-identity-assertions.md <https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/topics-and-advance-readings/modern-pki-identity-assertions.md>
>> https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/topics-and-advance-readings/FirstEncountersWithPGP.md <https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/topics-and-advance-readings/FirstEncountersWithPGP.md>
>> https://github.com/WebOfTrustInfo/ID2020DesignWorkshop/blob/master/topics-and-advance-readings/PeerAttestationofIdentity.pdf <https://github.com/WebOfTrustInfo/ID2020DesignWorkshop/blob/master/topics-and-advance-readings/PeerAttestationofIdentity.pdf>
>> — Christopher Allen [via iPhone] 
> 
> 

Received on Thursday, 21 June 2018 18:45:18 UTC