What is a Web of Trust?
A Web of Trust is a decentralized trust model for public identities (identitiy certificates, consisting of a ‘public key’ - ‘name’ pair). Participants in the Web of Trust can endorse the validity of other identitiy certificates by cryptographically signing them. Note that a Web of Trust has nothing to do with the trustworthiness of a persona, only with the validity of their identitiy. It’s goal is to stop impersonification.
Through a Web of Trust, two parties that never had contact before may establish a degree of trust in the validity of each other’s claimed identities because one or more chains of signed identitiy certificates may exist between them. In a best case scenario, they have many mutual friends that all signed both their identity certificates. Or perhaps they merely have one, long chain of signed identity certificates between them, through a friend of a friend of a friend of a friend. In this case the degree of trust is lower, because every friend in that chain is a potential single point of failure. In general, the degree of trust is higher when there are many short and parallel chains between two parties.
Why should we build a Web of Trust on SAFE?
I know of currently two main alternative trust models for public identities. One is the currently dominant, centralized system of certificate authorities, which again and again proves to be quite insecure. The other is the decentralized Web of Trust of OpenPGP, which doesn’t seem to be able to reach critical mass. The main reason for this seems to be the amount of effort and knowledge required to use it.
I think SAFE is extremely suitable to create a user-friendly decentralized Web of Trust. Public key cryptography is already inherent to it’s design without requiring expertise or complicated manual key management from it’s users. SAFE also has an integrated messaging service secured by this public key cryptography. In addition, SAFE will likely also be a host for all kinds of social media and platforms for commerce.
If we create a SAFE Web of Trust standard, SAFE’s messaging apps, social media and other platforms that connect public people can seamlessly integrate it in their contact management systems. Widespread usage of this standard would result in a densely connected Web of Trust, which increases it’s usefulness tremendously. If successful, it might even replace the currently dominant centralized system of certificate authorities. That would make SAFE indispensible to any modern state.
How should we go about it?
I think we should first analyse OpenPGP’s Web of Trust’s shortcomings, and improve upon those points. It’s standard should perhaps be adapted to the different nature of SAFE’s ecosystem and our expectations of it’s use cases. User-friendliness should probably the main focus.
A Web of Trust requires it’s users to have a certain level of competence in rating their trust levels of their contacts, so that process should be simple, understandable and intuitive to non-techies as well. Ideally, the average user shouldn’t even be aware of doing this. Smart algorithms and default categories for contacts that fit social reality could go a long way. These are just examples of course.
The results of the algorithms that rate the validity of identities (the ones that find and measure the signed chains) should be presented intuitively as well, for example by fitting colour gradients or other simple but effective scales or categories.
Anyway, these are just some of my personal suggestions. Feel free to add your own and/or ask questions!