[linux-elitists] SSL security certificates
Thu Apr 10 17:55:18 PDT 2003
On Thu, Apr 10, 2003 at 05:41:07PM -0700, Aaron T Porter wrote:
> On Thu, Apr 10, 2003 at 05:36:01PM -0700, email@example.com wrote:
>>> What I'm imagining is a system that uses a PGP/GPG ring of trust
>>> to establish identity and then building some sort of a "Six Degrees"
>>> social network to establish the validity of a certificate request. I'm
>>> still not 100% certain that a reliable network of trusted friends would be
>>> large enough to be of general use or if opening a private group certificate
>>> authority to the public is a fantastic idea, but I'm think it might work.
>> The "web of trust" is even more broken than the Thawte/Verisign
> How so? With Thawte all I know is someone has a word processor and
> the ability to send a fax. With a controled web of trust at least I know
> that someone I trust is willing to vouch for the certificate holder. I'm
> not suggesting growing the "tree of trust" (not identity, validity) either
> automatically or indefinately.
The problem isn't on *your* side.
Encryption and identity assertions are really only needed when
talking to strangers or over untrusted networks. (modulo
storage, a seperate discussion). If I know you, PGP is fine.
However, if I know your brothers friends dope dealer, there is
absolutely 0 assurance you are who you say you are.
*YOU* may be willing to deligate your trust, but there is
absolutely no reason for *me* to trust your trust, much less the
deligation of that trust.
Then there is the whole argument about what you are actually
asserting via the web of trust. Are you asserting faith in
identity? Are you asserting trust in someone elses ability (and
integrity) in determining identity and deligating trust?
Believe it or not Thawte actually does take steps to verify what
they get--at least the first time you talk to them.
"Fiat justitia et ruat caelum"
(Let justice be done though the heavens fall.)
--legal maxim originating with the Senate of Rome.
More information about the linux-elitists