lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 27 Sep 2004 14:05:00 -0400 (EDT)
From: "Greg A. Woods" <woods@...rd.com>
To: Seth Arnold <sarnold@...unix.com>
Cc: "BUGTRAQ: Full Disclosure Security Mailing List" <bugtraq@...urityFocus.com>
Subject: Re: New whitepaper "The Phishing Guide"


[ On Thursday, September 23, 2004 at 12:21:40 (-0700), Seth Arnold wrote: ]
> Subject: Re: New whitepaper "The Phishing Guide"
>
> Methinks PGP is good for talking within friends, but perhaps trusting
> communications from J. Random Corporation with PGP as your best means of
> verification is a stretch. The Web Of Trust idea only takes you so far
> in combating these problems -- I've heard anecdotal evidence that
> someone has replicated the entire "Web Of Trust" graph with identical
> uids on keys of EFF members. If one starts the search from the desired
> key and searches until finding a plausible name, one is doomed. One must
> return to one's own key

You seem to be blaming the existing state of the PGP web of trust on
some fundamental failing in its design and yet you then go on to admit
that people use the wrong kinds of things in real life to authenticate
and identify others with, and you further admit that the public in
general still has a lot to learn about using computing and networking
infrastructures safely in their daily lives.

PGP's web of trust can be almost infinitely more reliable, trustworthy,
and controllable, than any one, or many, for-profit certification
agencies.

Just because one takes a set of dedicated PGP users and tries but fails
to establish trust relationships with non-PGP users doesn't mean PGP's
web of trust is broken -- one of the parties is "broken", not the web of
trust itself or the concept of a web of trust.  Obviously in order to
establish trusted end-to-end communciations both parties must be
dedicated to using the technology that achieves their goal and both
parties must have some basis for relating to each other.  The web of
trust simply allows that relationship to have a somewhat less direct
nature and to be many-to-many instead of one-to-one.

The idea that a web of trust can work very well once it reaches critical
mass can be trivially demonstrated through simple analysis of the web of
"friends" formed in any of these large online networking systems such as
Orkut.


> -- AND have faith that everyone in the middle
> played fairly.

No, that's not true -- faith doesn't enter into it.  In a sufficiently
connected and properly maintained web of trust it should be relatively
easy for conspirators to be weeded out and eliminated.

Not that such a thing is easy to achieve of course.

Obviously a sufficient level of interconnection in a web of trust
requires a critical mass of users; and proper maintenance of the web of
trust requires a sufficient level of proficiency and dedication on the
part of those users.  It would certainly help a lot of those users where
encouraged to learn what they need to know and encouraged to pay
attention to maintaining their status and involvement through the
initiative of whatever large institutions many people are already
involved with.  Unfortunately it seems such institutions (e.g. banks,
etc.) have so far gone in the direction of using for-profit (and usually
for-profit public corporate) entities to manage x.509 style certificate
authorities.

Technically there is not a lot of difference between PGP's web of trust
and a group of certificate authorities.  PGP is not just for mail and
SSL/TLS is not just for HTTP.  There are indeed deficiencies in PGP's
implementation choices.  A public web of trust can be built using any
public-key crypto system.  I think the important thing is that we need
to work on building a democratic web of trust -- and learn to rely less
on certificate authorities operated by for-profit, and particularly
public, corporations.  The public corporation is anything but
democratic, especially when it gets involved in the affairs of private
individuals and government bodies.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@...ohack.ca>
Planix, Inc. <woods@...nix.com>          Secrets of the Weird <woods@...rd.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ