Perhaps you wouldn't trust your WOT with you life, but at least you know
that there is some accountability in the signature chain. If you find that
Mallory has a key that says "Bob'" then you can follow the
signatures. When you find the person who admits that he signed a key that
he didn't verify then you can kick his sorry ass.
The trust metric doesn't have to be boolean. Look at Verisign's WOT, where
everybody have a number of points. Bank Managers start with 100 points and
you and me start with 0 points. Your number of points increase whenever a
high-pointer signs your key. People younger than 21 gets fewer points etc.
http://www.thawte.com/certs/personal/wot/
Amanda.
On Thu, 27 Jul 2000, Eugene Leitl wrote:
> amanda writes:
> > You are not supposed to trust key servers. It is the keys that you trust,
> > because they are signed by someone you trust (the CA or your WOT).
>
> I'm a bit hazy on this web of trust thing. I can trust my close
> friends (I think). I would sign their keys. They would sign mine. So
> far ok. But I'm not sure the chain letter would still work, if
> propagated long enough. The trust metric is boolean, and it does not
> use consensus, right?
