@Tryphon The PGP WOT's core concept goes like this:

1. I publish claims with my key, e.g. "this key belongs to Bjarni."

2. Others sign these claims to vouch for their truthfulness.

3. You calculate a trustworthiness score for a key by finding paths through the social graph of attestations.

It conflates "This key is safe to use" with "a claim was truthful", with "I convinced people of something", with "I am to be trusted to evaluate others' claims."

These are not sane or safe equivalences.

ยท Web ยท 1 ยท 5 ยท 10

@Tryphon ... and as a by-product of sustaining this crazy method for validating keys, you create a permanent public record of which people know each other (and due to PGP signing customs, have probably met in person) and when.

Social graphs contain very sensitive information.

No secure system should immutably and publicly leak that kind of information about its users - for many, especially the people who NEED the kind trust the system claims to offer, it's actively dangerous to participate.

@Tryphon That's the two-toot summary of why I hate the PGP WoT. ๐Ÿ˜

I hope it's at least marginally interesting!

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!