[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060316232538.GC23428@sentinelchicken.org>
Date: Thu Mar 16 23:26:05 2006
From: tim-security at sentinelchicken.org (Tim)
Subject: HTTP AUTH BASIC monowall
> Frankly, the whole "web of trust" is a flawed idea. "Because A trusts
> B, and B trusts C, then A can (must?) trust C" is, excuse the lack of
> civility, utter bullshit.
>
> I trust my friends, it doesn't mean that I trust their friends. In this
> case, it's even more flawed because we're not talking about trusting a
> friend of a friend... we're talking about trusting people that our
> friends have met on the street... and that's it.
I think you are lumping several types of trust into one. (Though please
correct me if I'm wrong.)
In PGP's web of trust (which is by no means perfect), one can specify
two types of trust: how much we trust a person is who they say they are,
and how much we trust a person to properly verify the identities of
others.
These two types of trust have nothing to do with how these people
behave. Will they try to screw us? Spam us? Who knows. That's not
the point, the point in these systems is to identify people. The
easiest way to do that is to tie their keys to something more difficult
to change in the real world (driver's license, etc).
So, I argue the two-parameter, trust-degrading system OpenPGP uses fails
much more gracefully than SSL's PKI. I can ultimately trust that your
key is really yours, but I don't have to trust that you'll properly
verify others' keys. As we follow the transitive chain of trust, the
trust decreases.
People really do operate in webs like this. Obviously verifying
identities yourself is safer, but if your buddy tells you someone is
legit, you will likely trust that at least a little (and with PGP, you
can trust that referral as much or little as you like, without telling
your buddy how much you trust him).
Please tell me how this is worse than all-or-nothing CA trust in SSL.
(Besides issues with usability.)
cheers,
tim
Powered by blists - more mailing lists