[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Asrg] New take on emerging idea. (Query/C-R system?)
My point is to say simply that an operator of a node of a distributed
authority will be trusted because the precedent for trust already exists.
Sure, there are problems with SSL/TSL and the susceptibility to man in the
middle, but if it weren't for cert providers, we wouldn't have wholesale
encryption at the transport. Or perhaps we'd have some other form of
encryption at the transport that might present some other - or the same -
attack surface. And even if it is merely a perception of security, the
perception has been effective enough to provide encouragement to consumers
for engaging in allowing their information to be transmitted across the
wire - regardless of their perception of what happens with it at the data
store.
Anyway, just my two cents... I'm personally in favor of distributing a
repository to private operators the way that Project Liberty and UDDI do. I
don't believe that it has to necessarily be a government entity.
The thing about VeriSign and Thawte was merely an aside to suggest - again -
that a centralized control does not need to be in the hands of the
government and I personally feel that a government agency might not be able
to execute with the agility of a private agency.
My point about the government-operated national no-call list is that it
isn't a compelling example of the potential of a government operation
because the app is _relatively_ simple.
My apologies for reiterating - just trying to clarify the intent of my
message.
----- Original Message -----
From: "Vernon Schryver" <vjs@calcite.rhyolite.com>
To: <asrg@ietf.org>
Sent: Friday, April 11, 2003 7:43 PM
Subject: Re: [Asrg] New take on emerging idea. (Query/C-R system?)
> > From: "Scott Bellware" <sbellware@hotmail.com>
>
> > And we wouldn't even have eCommerce if
it
> > weren't for the trust that we already put in certificate authorities
like
> > VeriSign and Thawte.
> > ...
>
> That is technically wrong, although perhaps politically correct.
> The politicial aspect is that people who don't have any idea or
> interest in the technical details have been helped to overcome
> their fears of "eCommerce" by the fig leaf of comemrcial PKI.
>
> The certificates sold by VeriSign and Thawte have nothing to do with
> any trust in any merchant by anyone with the least understanding of
> how the system works. The trust any minimally knowledgeable person
> has in "eCommerce" is based on the consumer protection laws on credit
> cards and personal due diligence.
>
> Just as with PGP keys, a VeriSign, Thawte, or other commercial
> certificate says nothing about whether the vendor or other outfit on
> the other end of an SSL or TLS connection is a crook. Those certificates
> merely make some already very unlikely attacks on your data slightly
> less likely. Namely they make some man-in-the-middle attacks less
> likely. They don't eliminate MIM attacks because of holes in DNS
> security. When (and if) DNSSEC arrives, those holes will finally be
> plugged, no thanks to commercial PKI.
>
> The confidentiality of your credit card number or other private
> information on Internet wires is provided by mechanisms that do not
> require any sort of PKI.
>
>
> Vernon Schryver vjs@rhyolite.com
> _______________________________________________
> Asrg mailing list
> Asrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg
>
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg