Oddbean new post about | logout
 The term "trust" in "web of trust" refers to authentication, not to authorization. In other words, web of trust provides an attestation of the authenticity of a given identity, independent of application. Follow lists do a great job of this. 

Only leveraging the authenticity of a given pubkey relative to yourself for a particular purpose other than fetching and displaying social content (the explicit intention behind "follows") requires additional information. Often this can be provided by the user through common sense (e.g. identifying a satire account), or addition attestations (I fully/partially trust this person for purpose x, and transitively trust them to make the same kind of attestations about other accounts).

Follow-based web of trust authentication is a substrate upon which unqualified and qualified web of trust application-specific authorization can be built.

This thought courtesy of my reading of Ashish Gulhati's essay "Secure Communication: The Technology of Freedom" in "Beautiful Code" this fine Sunday afternoon.