Tryphon 🌂 mastodon (AP)
The OpenAI hand-wringing makes me think we need a decentralized web-of-trust even more urgently.

Finding random people to follow on Mastodon is fine and fun, but we need to be able to find out who to trust, and get info from, and work with, etc. beyond the first or second degree connections.
@Tryphon I'm ignorant of the hand-wringing you speak of, but this sounds like you want a technical solution to a social problem...

People (and trust) are highly subjective and they change over time.

The people you trust with your life today, may be your bitter divorces of tomorrow. The network security guru may also be a rapist "in his spare time."

The idea that some sort of computer system could tell us who to trust strikes me as not only impossible, but actively dangerous to attempt.
Tryphon 🌂 mastodon (AP)
. @HerraBRE OpenAI built a text generation model that can write fairly good essays (about the level of a 45 press conference: decent english but incoherent). So they did not release the full model nor the training code for fear that bad actors would misuse it. Never mind that large companies/states will have no problem replicating the results.
@Tryphon Yes, I read about it. Sounded quite responsible of them.

Since much of my career was spent fighting spam (or just dealing with the fallout from their trashing of the commons), I'm quite happy to see people aren't giving those low-lifes more things to weaponize.

I take it you disagree. 😁
Tryphon 🌂 mastodon (AP)
@HerraBRE I don't necessarily disagree, but I wonder what they were thinking when they started OpenAI? That they would only get results that, magically, could only be used for good?

Also, they did publish. It's just that it will take some time and money to replicate their results. A few weeks at most for Google, Facebook, Amazon or Microsoft.
@Tryphon Which is fine, IMO. Those are not the only bad actors in the world.

Far from it, there are lots and lots of low-lifes out there who are currently held back by their own ineptitude or lack of resources.

The scientists who worked with nuclear fusion and fission had to confront these issues, I see no reason why compsci and AI should get a pass. These issues are far too complex for all-or-nothing binaries.
Tryphon 🌂 mastodon (AP)
@HerraBRE A single universal "trust score" would indeed be ridiculous or even dangerous.

But say you would like to get the opinion of someone knowledgeable about a subject you are not familiar with. How do you do it? Ask around, right? And the recommendation you may get (if you are lucky) is for a specific subject, today. That might be feasible technically. I recently came across this post which touches the question:
@Tryphon I agree we could use a better LinkedIn. 😁

Anyone that takes inspiration from the PGP web-of-trust would do well to seriously reconsider. IMO, obviously.

The PGP web of trust was (is) a very deep, fundamental failure. That article doesn't even scratch the surface of why - quite the opposite, it's largely written from the POV that the underlying concept had merit.

I disagree, I think it's dangerous and harmful.

As a result, I'm deeply sceptical of any derived works.
Tryphon 🌂 mastodon (AP)
@HerraBRE Let's say a LinkedIn that does something useful 😉

I am not familiar with the PGP web of trust, I was mostly intrigued by the other possibilities mentioned.
@Tryphon The PGP WOT's core concept goes like this:

1. I publish claims with my key, e.g. "this key belongs to Bjarni."

2. Others sign these claims to vouch for their truthfulness.

3. You calculate a trustworthiness score for a key by finding paths through the social graph of attestations.

It conflates "This key is safe to use" with "a claim was truthful", with "I convinced people of something", with "I am to be trusted to evaluate others' claims."

These are not sane or safe equivalences.
@Tryphon ... and as a by-product of sustaining this crazy method for validating keys, you create a permanent public record of which people know each other (and due to PGP signing customs, have probably met in person) and when.

Social graphs contain very sensitive information.

No secure system should immutably and publicly leak that kind of information about its users - for many, especially the people who NEED the kind trust the system claims to offer, it's actively dangerous to participate.
@Tryphon That's the two-toot summary of why I hate the PGP WoT. 😁

I hope it's at least marginally interesting!
Tryphon 🌂 mastodon (AP)
@HerraBRE very interesting! Thank you for the summary!
Tom Rini mastodon (AP)
@HerraBRE @Tryphon So, not being a PGP expert myself, but doesn't TOFU (Trust On First Use) help with that problem?
@trini @Tryphon TOFU is a completely different approach; one I am much more comfortable with.

The only guarantee TOFU gives, is "this is the same key as you were communicating with last time" - which is simple enough that people can reason about it, and yet strong enough that it significantly boosts security.

TOFU is an excellent baseline, people who need more can augment it by verifying keys out of band, pinning keys, etc.

Simplicity matters! For code and UX.

Bad UX = mistakes = insecurity.
@trini @Tryphon Another recent development in the PGP world, is WKD, the web key directory.

The security of WKD piggy-backs off TLS and the CA-based trust model of the web.

The WKD promise is "the website at claims this is the key for". That's a good baseline, assuming user is on friendly terms with his domain and website admin.

WKD is great for institutions and organizations, maybe less awesome for Joe Random Activist.
tethre mastodon (AP)
@HerraBRE @trini @Tryphon still a better start than sks keyservers, though.

also, we need to enhance the pgp key specification, by only allowing signatures that were signed off by the key-owner themselves to be attached to publickeys!
@HerraBRE @Tryphon

"there is no digital shortcut to trust"


"trust is a brain-to-brain API"
Web of Trust is a social construct not a technical. We can make systems that helps us maintain web of trust systems and make them easier to understand using technical solutions though. And that is helpful to have over the internet.