[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] HTTP AUTH BASIC monowall
- To: "bkfsec" <bkfsec@xxxxxxxxxxxxxxxx>, Valdis.Kletnieks@xxxxxx
- Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall
- From: "Jason Coombs" <jasonc@xxxxxxxxxxx>
- Date: Thu, 16 Mar 2006 23:31:28 +0000 GMT
bkfsec wrote:
> Frankly, the whole "web of trust" is
> a flawed idea. "Because A trusts
> B, and B trusts C, then A can (must?)
> trust C" is, excuse the lack of
> civility, utter bullshit.
>
> I trust my friends, it doesn't mean
> that I trust their friends.
You're applying the sick-and-stupid-Verisign-monopoly-business-strategy version
of the 'web of trust' idea to all webs of trust, and that's incorrect.
Verisign is guilty of fraud in even suggesting that the CA (and the SSL certs
it issues) does anything at all other than what you describe -- but don't throw
the web of trust baby out with Verisign's dirty business bathwater.
The 'security' problem that a proper 'web of trust' solves nicely is the one in
which particular entities are associated with individual public keys. There is
no especially good way, aside from a properly-implemented web of trust, for
many-to-many reliable distributed discovery of the public key-to-entity mapping
that is most probably accurate because it is the correlation that your trusted
associates assure you they have successfully relied on in the past to engage in
communication with the party they believe to be the owner of a particular
public key.
SSL does not implement any reasonable trust mechanism today because Verisign
dumbed it down in order to create a universal mechanism to tax the Internet.
Best,
Jason Coombs
jasonc@xxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/