User talk:Avraham/Wiki of Trust

Start with the top and go step by step
I believe we should start with the top and go step by step. The members of the wikimedia board of directors are identified individuals. The chair of the board says she was told checkusers real identities are known to the office (and there is a proposal at meta to make that official policy). A proposed change to arbcom policy will let arbcom join this at a speed it chooses for itself (voluntary as a group is important; indididuals in that group who do not volunteer can be phased out over an appropriate lengh of time). A credentials policy and applying BLP to user pages can result in a decrease in unproven claims of Ph.D over time and an increase in proven Ph.D. over time. WAS 4.250 16:55, 9 March 2007 (UTC)


 * I agree that checkuser's need to reveal themselves, but to the Board. And the board needs to be very careful of that identity. I view the Board as the first group of "notaries", and then the checkuser's would be second, since they are all vouched for by the board. Arbcom I am still considering, but would lean to having them id'd to the board. Bcrats and admins would expand their own web of trust, IMO. -- Avi 16:58, 9 March 2007 (UTC)


 * Walled gardens of trust are not good. Each voucher ("I know him") needs to be able to be traced back to a known publically identified person. But it can start voluntarily anywhere on wikipedia and expand. The nore publically identified persons in the web the more trustworthy it becomes. A new policy is not needed for these webs to be created and grown. Why not start with identifying what software tools wikipedia could use to help with voluntary wikipedia webs of trust and see which tools get the most support? WAS 4.250 18:12, 9 March 2007 (UTC)

Good things
Interestingly enough, I think that I duplicated some of your suggested on the main discussion page. I like the web of trust idea, though; it has been proven to be well-to-do in the areas of public-key encryption technology, and I do not seen any reason for that type of system to not become part of this project. —Mike Trausch Fd0man • Talk to me 19:35, 9 March 2007 (UTC)

Can you help me wrap my brain around this?
I read the page and the Web of Trust link but I must admit to still being confused. I think it would help me if you wrote up a mock example of what the certification would look like and what it would say. Like "This user was verified on 2-13-08 using the XYZ process and the following items were verified: X Y and Z"?MikeURL 21:21, 9 March 2007 (UTC)

I envision a user sub-page with statements by notaries/users verifying claims. If we use actual PGP Keys, we can sign messages like so:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1

I verify that MikeURL is a neat guy and plays a mean trombone. -- Avi -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) - WinPT 1.2.0

iD8DBQFF8diey6A/RnheoikRAhAXAJ9bTjShr6Oxia1MHtrS2KRDBNo1RgCfT65U Ho1NkfYNEKSHNQ4RyYEM1OU= =dcw0 -END PGP SIGNATURE- -- Avi 21:59, 9 March 2007 (UTC)
 * OK, I think I'm a little closer to getting this. You will have added that to my subpage and it will be associated with whatever trust you have on Wikipedia (you're putting your username on the line, so to speak).  Just help me out with what the PGP part adds?  What does that tell me?  If I looked at the diffs I could see whether the statement did indeed come from Avraham but what additional data does the PGP key give me?MikeURL 22:13, 9 March 2007 (UTC)

It is incontravertible evidence that only someone who knows the secret password to the PGP Key shown made that edit. It is uneeded here at wiki per se, if we trust the security of account passwords. The idea remains that I am vouching for you, so someone who trusts me will tend to trust you too, so if you claim you are a trombone expert, and I vouch for that, then it makes it less likely that you are a 24 year old kazoo player instead :) -- Avi 00:27, 11 March 2007 (UTC)

An attempt guage community support on this and related proposals is going on at User talk:Jimbo Wales/Credential Verification. Please participate. Thank you. WAS 4.250 11:38, 13 March 2007 (UTC)

Comments on technical aspect
My 2 cents on the technical aspects of a Web of Trust solution. Using PGP sigs has a couple of problems. It's probably too technically complicated for most people and there needs to be a secure way for people to keep their private keys private. With a significant fraction of PCs infected by zombie code, that's not so simple. Then there is the problem of sock puppets. If someone is determined to gain false credentials on wikipedia, it would not be hard to make a "quality" sock puppet. Just visit a coffee shop or use a neighbors open WiFi to get a different IP address for the puppet account and make a few constructive copy edits on a regular bases. After a couple of months, you'd have a quite credible sock puppet or two. Never use them in a wikifight. Then have them vouch for your credentials.

What might work is for universities and research institutes to create a certificate system where the universities sign faculty members PGP keys, or have a directory of key fingerprints on their Web site. Then a faculty member could sign his user page and that would be that. The universities would have to come up with a secure way for the Profs to store their private keys, but they have the resources to do a decent job of that if they want.--agr 11:01, 14 March 2007 (UTC)