| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <19434261.1142552044044.JavaMail.teamon@bda055-cell00.bisx.prod.on.blackberry> Date: Thu Mar 16 23:34:28 2006 From: jasonc at science.org (Jason Coombs) Subject: HTTP AUTH BASIC monowall bkfsec wrote: > Frankly, the whole "web of trust" is > a flawed idea. "Because A trusts > B, and B trusts C, then A can (must?) > trust C" is, excuse the lack of > civility, utter bullshit. > > I trust my friends, it doesn't mean > that I trust their friends. You're applying the sick-and-stupid-Verisign-monopoly-business-strategy version of the 'web of trust' idea to all webs of trust, and that's incorrect. Verisign is guilty of fraud in even suggesting that the CA (and the SSL certs it issues) does anything at all other than what you describe -- but don't throw the web of trust baby out with Verisign's dirty business bathwater. The 'security' problem that a proper 'web of trust' solves nicely is the one in which particular entities are associated with individual public keys. There is no especially good way, aside from a properly-implemented web of trust, for many-to-many reliable distributed discovery of the public key-to-entity mapping that is most probably accurate because it is the correlation that your trusted associates assure you they have successfully relied on in the past to engage in communication with the party they believe to be the owner of a particular public key. SSL does not implement any reasonable trust mechanism today because Verisign dumbed it down in order to create a universal mechanism to tax the Internet. Best, Jason Coombs jasonc@...ence.org
Powered by blists - more mailing lists