[Discuss] root CA bloat

Derek Martin invalid at pizzashack.org
Tue Nov 25 13:15:22 EST 2014


On Mon, Nov 24, 2014 at 09:35:16PM -0500, Richard Pieri wrote:
> On 11/24/2014 3:20 PM, Derek Martin wrote:
> >It is a practical impossibility for you (or your organization) to
> >actually truly authenticate each and every entity with whom you do
> >business on the Internet.  
> 
> I don't agree with the base assertion.
[described "solution" snipped.]
> Yes, I'm aware that this does not solve the initial trust problem. 

And therein lies the problem.  The initial trust problem is, I assert
without conclusive proof, intractable.  All I can offer is an analogy
to illustrate the problem, with the caveat that this very quickly
dives into the depths of philosophy.

Let's say I meet you on the street, and you tell me you are Steven
Smith, and produce very good fake ID to that effect.  As it happens
(in this scenario) I am exceptionally good at spotting fake ID.  I
prove that your ID is fake.  This does not prove to me who you are--it
only proves to me one identity whom you are not.  

The fact is, though my resources are limited and I could not afford to
do the required research to minimize my uncertainty of your identity
(the practical problem), there is actually no way for ME to ever prove
conclusively that you are who you are (nevermind who you say you are).
I believe this is a fundamental truth, because your identity truly
lies almost solely in your own mind.

Other people may recognize you, but they can not, in fact, prove
beyond a shadow of a doubt that you are not just some exceptionally
clever imposter, or that your identity isn't a complete fabrication
that you have adeptly developed and maintained since before they met
you.

For businesses, the problem is in some ways better, and in some ways
worse.  There is no real identity at all, except that which is defined
by commercial law.  You can't ever really know whom you are trusting,
because it can change in the blink of an eye.  You perhaps can, given
enough research, prove that legally the person you are dealing with
who purports to represent the corporation, actually does.  But I don't
know anyone whom actually does that, or ever would...  The cost of
doing that is prohibitive.

All you can ever do is improve your certainty; you can not guarantee
it.  Ever.  And one of the properties of humanity that never ceases to
amuse me is that you can be absolutely certain of something... and
still be wrong.  It happens to me more and more as I get older. ;-)


> Like I wrote above, I don't believe it is impossible to solve, only
> that nobody has put the effort into solving it (or if they have then
> their work has largely been ignored).

I don't believe that is true.  It's widely recognized as a problem and
none of the great minds of our time have put forth anything resembling
a real solution, practical or otherwise.  There are a number of
"solutions" that are aimed specifically at trusting entities such as
on-line retailers.  But they don't actually solve the problem; they
just minimize it.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.



More information about the Discuss mailing list