Privacy and trust: Pick one.

How do you prove your identity on the internet?

Well, the standard PGP model is a web of trust. I present you with my certificate, which is signed by all these other people. How do you know I didn't just make all these people up? Well, their certificates are signed by yet more people. We have this whole web of people-who-know-people going on.

The problem is that to be able to use this network, the whole thing must be public. (Otherwise, an attacker might have just invented a couple of people to sign their certificate).

You could ask random people on the street to verify your identity, but the only way they can tell who you are is by looking at government provided ID or something. The people you really want verifying your identity are the people who have known you in person for several years. Who knows you that well? Friends and family. In a way, the best web of trust is your Facebook friend network. Except, to be effective, you have to make your network visible.

This is a strange conflict that any web of trust has. If the network isn't public, you can't trust the network. If the network is public, you have to give up privacy.

A very surprising conflict.