|
| From: | Graydon Hoare |
| Subject: | [Monotone-devel] Re: PGP key signing |
| Date: | Tue, 01 Aug 2006 15:27:52 -0700 |
| User-agent: | Thunderbird 1.5.0.5 (Windows/20060719) |
Bruce Stephens wrote:
And (obviously) maybe a VCS could use some kind of similar idea, rather than trust always being binary. So maybe when I do "mtn update", I could give some indication of how lucky I feel, and then mtn could choose a revision that's either completely tested and signed by people I definitely trust, or perhaps a riskier one with possibly more features.
Despite being frequently lost in the noise of developing a working system, this exactly the reasoning that went into the current design: that a public key is most useful when it has signed *lots* of old material you consider good, not when it's attested through a complex PKI. This is why we issue such a great volume of certs, and why the update (good/no-good) decision is delayed until the last second, and even then consults user preferences via a trust hook.
Of course such a view of public keys doesn't prevent against "passive infiltration" attacks, where someone submits weeks or years of "good" signed material only to one day suddenly turn "evil". I don't know of anything *cryptographic* that protects against such a scenario, though. Certainly not having some magic rubber stamp from Verisign or the PGP SCC.
-graydon
| [Prev in Thread] | Current Thread | [Next in Thread] |