Archive of UserLand's first discussion group, started October 5, 1998.

Re: vision: purposeful online community for all human beings

Author:Paul Snively
Posted:7/10/2000; 2:28:27 PM
Topic:vision: purposeful online community for all human beings...
Msg #:18448 (In response to 18437)
Prev/Next:18447 / 18449

Steven Vore: What percentage are you all finding "out there" for acceptance of public-key crypto & signatures? My feeling is that it's still pretty low, but perhaps my view is inaccurate.

Nope, you're right on target: it's abysmally low.

IMNSHO, this is due to basically two factors:

  1. People have been fed a great deal of silicon snake oil (to blatantly rip off Cliff Stoll's wonderful phrase), particularly when it comes to security. Why should anyone trust that public-key crypto and digital signatures are any better than the last "secure" technology that got hyped?
  2. The available public-key crypto and digital signature technology leaves too many of the pipes exposed; ordinary users are pretty nonplussed upon seeing enormous strings of digits sprinkled with the occassional A, B, C, D, E, or F (why not just numbers? Why not the entire alphabet?) whenever they generate a key, encrypt a message, and/or sign a message. The "integration" of tools such as PGP into popular mailers such as Outlook or Eudora really only makes it slightly more convenient to invoke PGP; it's still an extra step and it still requires that the user know too much, e.g. if I wish to encrypt a message to so-and-so I need to get his/her public key from him/her or a keyserver somewhere. All of this plumbing needs to become invisible.

Basically, when I am in possession of someone's e-mail address, I effectively need to also be in possession of their public key. In the short term this probably simply means having an e-mail client that searches all the known public keyservers for that e-mail address' key whenever I send a message. If one is found, my message gets encrypted for me automagically (based on either a global preference or a per-recipient preference). If I want to sign my message, then I need a key-pair too, but this is easy to generate without confusing the user beyond the weirdness of having them provide whatever entropy they're going to provide (mouse movement, keyboard-click timing, whatever). So far, so good.

The issue of trusting public keys is a tough one because it's more psychological than anything else. I mean, if someone flashes a driver's license at us, we're liable to trust it, despite the bordering-on-ludicrous ease of coming up with fakes. Part of it is why-would-they-fake-it, and part of it is it's-an-official-state-document-so-it-MUST-be-accurate. The same phenomenon keeps organizations like VeriSign and Thawt in business; their digital certificates are no better than the ones you or I can generate by installing OpenSSL and/or OpenCA on a nearby Linux box. It's just that your and my name isn't VeriSign or Thawt. How do these organizations go about ensuring that the person who buys a digital certificate from them is who they say they are? Typically by insisting that the purchaser provide a couple of notarized forms of ID such as a birth certificate and/or passport and/or driver's license, and we're right back where we started. I could get a notary public to sign off on someone's government-provided piece of paper just as easily as anyone else.

In the final analysis, trust is cyclic and evolves as a belief system within a community. Money is just a symbol of trust that goods and services are worth X in exchange with each other; it has no physical basis. At one point it was believed that some scarce resource had to back it up, but by the early 1970's, at least in America, very few citizens even knew enough finance to know why that should or should not be the case, and Richard Nixon deemed it safe to take America off the gold standard. The economy didn't even flinch. Why? Because American citizens continued to believe that if they took their dollars to the stores, banks, and their friends, they'd still get proper value in exchange for good and services. Gold had nothing to do with it other than serving as yet another symbol, one whose "value" was "intrinsic" based on "scarcity." The concept turns out to be unnecessary.

Similarly, trust in PGP relies on people who are relatively known (starting with, say, Phil Zimmerman) signing the public keys of people who are relatively unknown. Presumably, then, if you "know" that Phil Zimmerman's public key is really in Phil Zimmerman's possession, then you can extend your trust to any other key he's willing to sign, and so on, and so on, and so on... hence, web of trust. All I need to do to have my trustedness shoot through the roof is find a couple of people with highly-trusted public keys, convince them that I am me, and get them to sign my public key too. Then I'm at the end of the whole chain, or enmeshed in the whole web, and I'm golden. Just like the monetary system.

Problem is, unless your user is accustomed to decentralized, distributed thinking, this might be confusing at best, and cause for scepticism at worst. Some folks are just far more comfortable with a centralized, authoritarian system; they want to be able to vest the majority of their trust in one place, or at worst a very small number of places. From a security and privacy standpoint this attitude is a disaster, but that doesn't make it any less real, and so far, the public key and digital signature tools I've seen, being written by good geeky cryptolibertarians like Phil Zimmerman, John Gilmore, et al, don't address this aspect of human psychology well at all, and I think this is also a barrier to adoption of the technology.

I'm confident that issues 1 and 2 above will resolve themselves over time; the psychology issue I feel is much, much deeper and thornier, because it involves either weakening the security and privacy properties of the technology to make users feel (falsely) warm and fuzzy, or literally changing the users' psychology to make them comfortable with an extreme lack of centralized authority.

There are responses to this message:

This page was archived on 6/13/2001; 4:55:37 PM.

© Copyright 1998-2001 UserLand Software, Inc.