My point is to say simply that an operator of a node of a distributed
authority will be trusted because the precedent for trust already exists.
Sure, there are problems with SSL/TSL and the susceptibility to man in the
middle, but if it weren't for cert providers, we wouldn't have wholesale
encryption at the transport. Or perhaps we'd have some other form of
encryption at the transport that might present some other - or the same -
attack surface. And even if it is merely a perception of security, the
perception has been effective enough to provide encouragement to consumers
for engaging in allowing their information to be transmitted across the
wire - regardless of their perception of what happens with it at the data
store.
Anyway, just my two cents... I'm personally in favor of distributing a
repository to private operators the way that Project Liberty and UDDI do. I
don't believe that it has to necessarily be a government entity.
The thing about VeriSign and Thawte was merely an aside to suggest - again -
that a centralized control does not need to be in the hands of the
government and I personally feel that a government agency might not be able
to execute with the agility of a private agency.
My point about the government-operated national no-call list is that it
isn't a compelling example of the potential of a government operation
because the app is _relatively_ simple.
My apologies for reiterating - just trying to clarify the intent of my
message.
----- Original Message -----
From: "Vernon Schryver" <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com>
To: <asrg(_at_)ietf(_dot_)org>
Sent: Friday, April 11, 2003 7:43 PM
Subject: Re: [Asrg] New take on emerging idea. (Query/C-R system?)
From: "Scott Bellware" <sbellware(_at_)hotmail(_dot_)com>
And we wouldn't even have eCommerce if
it
weren't for the trust that we already put in certificate authorities
like
VeriSign and Thawte.
...
That is technically wrong, although perhaps politically correct.
The politicial aspect is that people who don't have any idea or
interest in the technical details have been helped to overcome
their fears of "eCommerce" by the fig leaf of comemrcial PKI.
The certificates sold by VeriSign and Thawte have nothing to do with
any trust in any merchant by anyone with the least understanding of
how the system works. The trust any minimally knowledgeable person
has in "eCommerce" is based on the consumer protection laws on credit
cards and personal due diligence.
Just as with PGP keys, a VeriSign, Thawte, or other commercial
certificate says nothing about whether the vendor or other outfit on
the other end of an SSL or TLS connection is a crook. Those certificates
merely make some already very unlikely attacks on your data slightly
less likely. Namely they make some man-in-the-middle attacks less
likely. They don't eliminate MIM attacks because of holes in DNS
security. When (and if) DNSSEC arrives, those holes will finally be
plugged, no thanks to commercial PKI.
The confidentiality of your credit card number or other private
information on Internet wires is provided by mechanisms that do not
require any sort of PKI.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg