Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] root CA bloat



On Tue, Nov 25, 2014 at 02:52:47PM -0500, Richard Pieri wrote:
> On 11/25/2014 1:15 PM, Derek Martin wrote:
> >Let's say I meet you on the street, and you tell me you are Steven
> >Smith, and produce very good fake ID to that effect.  As it happens
> >(in this scenario) I am exceptionally good at spotting fake ID.  I
> >prove that your ID is fake.  This does not prove to me who you are--it
> >only proves to me one identity whom you are not.
> 
> It proves that I'm that particular guy you met on the street. You
> may not know my real identity but you still have a piece of
> information -- a fingerprint if you will -- that is uniquely mine.

This misses the point:  we're talking about authenticating
(essentially) anonymous parties on the internet for (essentially)
trusting them with your money and/or secrets.  The above was only
an analogy to illustrate the problem.  Though your response sort of
makes my point for me.... sort of.  Having met "fake Steven Smith #32"
I would certainly trust him with neither my money nor my secrets.

> If that fingerprint is used then you know that it's the guy you met
> on the street with Steven Smith fake ID #32. That's all you need if
> you want to communicate with fake Steven Smith #32.

I have no use to communicate with "fake Steven Smith #32"... my goal
is to trust that the website behind certificate XYZ actually belongs
to my brokerage house, rather than some "fake Steven Smith #32" who
fully intends to abscond with my nest egg.  The fingerprint of "fake
Steven Smith #32" has no value to me (or, I dare say, anyone), and I
would not bother attempting to secure my communications with that
person.
 
> At which point a web of trust or hybrid web and chain can be used if
> you need more than that. It's not an unsolvable problem. It's
> already been solved: social networks.

Oh, right, just like the web of trusted certificate authorities.  It's
a solved problem, so we really don't need to continue this discussion!

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org