Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: introducer trust model, Was: Eat this RIAA (or, the war hasbegun?)

  • From: Vadim Antonov
  • Date: Thu Aug 22 22:38:13 2002



The point of web-of-trust models is not to identify anyone reliably, but 
to make obtaining false identities harder.  I.e. every signatory risk 
their reputation by signing someone else's certificate, and it is easy to
mark that signatory as untruthworthy, thus effectively invalidating or
reducing truthworthiness of all parties having that signatory in the
trust chain.

This can be defeated by creating chains of sham identities; but somewhat 
more advanced graph analysis (i.e. identifying "gateway" links to the 
subraph where cluster of untruthworthy behaviour is detected) can deal 
with that too.  Such analysis can be performed proactively, on a 
distributed collection of host computers checking links at random).

However, web of trust per se is not sufficient; what Internet needs is 
some way to assemble irrevokable "reputation" files for assumed and real
identities.  The problem of false reports on the files can be addressed by 
checking truthworthiness of report submitters before factoring their 
reports into final scores.

The practical irrevokability can be achieved using techniques similar to 
the Publius.  (Finding all individual reports for the identity is an 
interesting problem, though :)  Protection of the system from floods of
bogus reports is going to be interesting, too.

Obviously, a system like that could be very useful in business
transactions, too.

--vadim

On Thu, 22 Aug 2002, Steven M. Bellovin wrote:

> 
> In message <20020822142836.A92148@mail.webmonster.de>, "Karsten W. Rohrbach" wr
> ites:
> >
> >
> 
> 
> >
> >i am not an expert in this field, but i think that a generic standard
> >for this kind of trust model is long overdue, the only application
> >nowadays out there in the wild using it being pgp's model of the web of
> >trust.=20
> >
> 
> I doubt that it would work well -- one "mole" would suffice for many 
> large penetrations.
> 
> 		--Steve Bellovin, http://www.research.att.com/~smb (me)
> 		http://www.wilyhacker.com ("Firewalls" book)
> 
> 





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.