[Enigmail] Setting trust levels for unknown keys

Wed Apr 29 14:27:26 PDT 2009

Faramir wrote:
>   Right, it's indeed a very good question. Leaving aside it is always a
> personal decision to trust or not a key or CA, CAcert is based on the
> OpenSource philosophy, and that means their policies and procedures are
> available to be checked by everybody.

Their policies and procedures are one thing -- but how do you know that
the policies and procedures they list are the same as what they actually
_do_?

When I'm teaching software engineering, I present the students with a
hypothetical question involving a database system that's written
entirely in RavenSPARK, with formal correctness proofs, a stackload of
documentation explaining the design from conception to delivery,
lifecycle diagrams, UML, the whole nine yards.  This database system is
great and it's bug-free.  I tell them I have not lied to them in any
detail about any component of this database system.  It really is that
good.  Should they recommend their client deploy it?

They always say yes.  Then I ask them what they will tell the family of
the dead Air Force pilot when he goes to pull his ejection seat and his
seat's ballistic computer goes off and performs 250,000 SQL queries per
second instead of actually firing the pilot out of the cockpit the way
it's supposed to.

The moral of the story is that even if something is developed
_perfectly_, it can still be totally unsuitable for the purposes to
which it is being deployed in the field.  There is no substitute for
getting on-the-ground knowledge of how your product will be used, in
what environment, by what users, for what purposes.  Without that,
you're putting a lot of trust in some pieces of paper written by some
schmuck who probably doesn't understand the problem at all.

There is no substitute for direct on-the-ground knowledge.  If you're
cool with trusting CAcert without this, that's your call to make: but I
don't think impressive documentation, by itself, inspires much confidence.

> Of course, maybe you wouldn't trust Thawte too, and I
> know you have the right to do that.

Thawte has more to lose by screwing up.  Thawte's a business that has to
keep customers happy or else they're out of business.  CAcert, by its
nature as an unpaid volunteer project, can afford to screw it up badly
and still retain most of its users.

It isn't so much that I think Thawte is more morally pure or virtuous or
anything else.  I think Thawte is less immune to the consequences of
their actions, and I further think Thawte knows this.  That tends to
lead me to believe they're more suitable recipients of trust.