Revision [2225]
This is an old revision of WebOfTrust made by BrianKoontz on 2010-12-12 03:17:04.
Establishing a "web of trust" for OpenNIC servers
There is currently no way to determine the integrity of an OpenNIC server other than through interpersonal relationships, or knowledge of the OpenNIC principals that hold a high level of trust in the OpenNIC community. With the influx of people volunteering their services to run Tier 2 servers, it is becoming difficult to keep up with which servers are trusted, and which are untrusted. ("Untrusted" in this sense doesn't mean "not trusted," but rather "not enough information available to trust".) New members often ask how they know a certain Tier 2 server can be "trusted." There is probably not a deterministic answer to this. However, I believe we can use and leverage off the "web of trust" model that GPG uses to determine the level of trust one might give to a particular user's public key (i.e., "How sure am I that this key actually belongs to the user I think it belongs to?").
Before I go further, a disclaimer: I am not a cryptographer, nor am I an expert in public key infrastructure. That said, I do read a lot on the topic, and implement several levels of encryption in my own activities, so I encourage you to do the same. This is not a GPG or PKI primer. There are folks much more knowledgeable than I who have written some very good how-tos on this topic. A good place to start would be The GNU Privacy Handbook.
Who do we trust?
The first step to implementing a web of trust is to determine who we trust enough to "anchor" our web of trust. Everybody trusts themselves. But do you trust the person I might put forward as an appropriate anchor? To trust in my decision, you would have to either (1) know me personally and trust me, or (2) know me by reputation and trust that reputation. The weakest link in any web of trust will be the anchor. If the anchor turns out to be untrusted, then any relationships between the anchor and others are immediately suspect.
It's important to establish one or more anchors that are impeccable in terms of trust. I trust the Dalai Lama, and I imagine a large number of people trust hime as well, but I doubt he has the time to devote to OpenNIC given all of the other causes in which he engages. So the Dalai Lama would be a great anchor, but probably not a feasible anchor.
Some of us have been with OpenNIC since the "start". (Many probably don't know that OpenNIC has been around for 10 years, but that there was also an OpenNIC "resurrection" a few years ago that many consider to be the "start".) Personally, if I am going to be involved in an organization, I'm going to have a certain level of trust in the people who are considered the principals of that organization. It might be a high level or a low level of trust, but it's a known quantity that can be determined only at the individual level. For instance, I partake of many Google services...but I don't necessarily have a high level of trust for the Google management team. OTOH, I participate in OpenNIC, and I happen to have a very high level of trust in Julian DeMarchi, who worked with me to help bring OpenNIC back to life.
Based on that high level of trust, I personally would have no problem establishing Julian's credentials as the "anchor" for the web of trust.
