[upofadown]

>A key shortcoming that makes many of these attacks possible is that Bridgefy offers no means of cryptographic authentication, which one person uses to prove she’s who she claims to be.

Identity is critical in encrypted messaging. Identity is a hard problem in practice. Very few things do an adequate job. The things that do are awkward and require concepts that few people understand.

[tialaramex]

Somebody needs to expend a bunch of effort to provide identity. It doesn't have to be you (in a PKI the effort is expended by the Certificate Authorities and those overseeing them, not by Relying Parties) but it does have to be somebody you trust.

For personal identity the most plausible outside authority is government, and it's unlikely that people protesting a government would trust it to identify them - after all government counter-protest forces would presumably be able to make use of that against them.

So you're probably screwed in the larger sense. Is this tip that "There is a team with food and water on the North side of the bridge" from "Kirsty" real? Well you haven't the faintest idea who "Kirsty" is so even if you could magically be entirely confident the message is really from "Kirsty" that doesn't help you decide.

Signal does the absolute most it's practical to attempt here, you can choose to check that your friend Kirsty is actually your friend Kirsty by some trustworthy means (e.g. meeting up physically) and then Signal promises you'll know that future messages are really from Kirsty. But trust isn't transitive so PGP's apparently more powerful offering doesn't actually do anything except maybe give you a false sense of security.

Bridgefy doesn't offer even that very limited capability from Signal, but I'm dubious about the practical import for a live protest. I can buy that BLM or Extinction Rebellion which are long-term organisations with sustained buy-in from local organisers benefit from something like that (and indeed ER uses Signal) but individual protests or protesters I don't think so.

[upofadown]

No one really wants their legal identity linked to a messaging identity anyway. It just isn't a suitable concept. Identity in a messaging context normally has multiple instances. You don't want your work identity linked to your family identity linked to your bar identity...

Leaving off the question of how useful the transitive stuff is, PGP has a reasonable and simple framework. The terminology of key trust is terrible though. Few people know what it means to trust a key (my house key is OK but I think my shed key might be up to no good).

Messaging identity reputation is all about what you think of the other people's identities. Do you know them? What context do you know them from (e.g. a particular protest)? Why you think this messaging identity relates to a person somehow? How is this entity allowed to interact with you? This stuff can't be automated away.

I think the ultimate answer would have to involve generating a simple conceptual model of a messaging identity and then teaching people about it. If you solve identity then everything else is easy.

[Reelin]

> But trust isn't transitive so PGP's apparently more powerful offering doesn't actually do anything ...

Trust in the abstract isn't inherently transitive, agreed. I'd argue that employing PGP as though it were is misusing the tool (that might well be easier to do than it ought to be, but that's a different conversation).

WoT as realized by PGP seems to me to be a very good tool for manually assessing whether to trust a previously unknown key for someone that a third (untrusted) party sends you.

I remain highly optimistic that some future take on the WoT concept will be advanced enough to tackle trust in general in a distributed manner.

[rrdharan]

> WoT as realized by PGP seems to me to be a very good tool for manually assessing whether to trust a previously unknown key for someone that a third (untrusted) party sends you.

https://inversegravity.net/2019/web-of-trust-dead/

[Reelin]

That article isn't particularly relevant to what I said.

The issues it describes only affect keyservers that behave in a specific manner. I'd also argue that a keyserver behaving that way in the first place is fundamentally flawed for the reason pointed out by @tialaramex above - trust isn't transitive in the generalized case (nor is it boolean IMO).

It is still entirely possible for a small group (say a FOSS software project) to engage in cross signing. Previously unseen keys received from an untrusted (or less trusted) third party can then be judged on a case by case basis by manually assessing how many times they have been signed and by which keys.

(Similar to above, I believe Matrix employs cross signing among the keys of a single user.)