Flaws in the 'web of trust' approach to trust issues

January 1, 2009

One alternative to monolithic certificate authorities is a web of trust approach to trust issues. Here's my view of the flaws this model as an alternative to CAs, when used in practice.

First, you haven't actually removed the need to pick trust roots; every user has to start their web somewhere, and usually they are going to start from some well-known root or roots. What you have really done is made trust roots less subject to detailed scrutiny and criticism, and probably made it less obvious to people who they should start out trusting.

Next, a web of trust is only as strong as its weakest link, and there are a lot of links, which means a lot of places for the overall web to be weak and thus to let attackers in. The usual answer is revocation, but threats of revocation are subject to being gamed by attackers, for example by the attacker doing their best to have a bunch of valid nodes dependent on their certification in addition to the harmful nodes. Revocation also assumes that you can reliably identify the true start of the rogue nodes, which I think is optimistic; there is a lot that an attacker can do to cloak how far up the web of trust the rot truly goes.

There are more sophisticated schemes that try to work around the second issue (requiring more endorsements for more trust, see trust metrics), but I believe that it's been demonstrated that sufficiently determined attackers can eventually game them too.

Sidebar: I don't think trust is even transitive

I also think that there is a strong argument that trust is simply not transitive in the way that a 'web of trust' requires it to be. On a concrete basis, there are at least three sorts of trusts involved in a web of trust:

  • I trust that you are Joe.
  • I trust that you are making sure of the identities of people that you are trusting.
  • I trust you to make sure that other people are verifying the identities of people that they are trusting.

These trusts (and their further recursion) are entirely different things and cannot be bundled together. They are also increasingly hard to verify (to the point where I think that most schemes only really verify the first trust and wave their hands about everything else).

Written on 01 January 2009.
« Certificate authorities seem to be a real weakness in SSL
Why SSL needs certificate authorities, or at least trust roots »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Jan 1 23:58:25 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.