Web of Trust (a revolution)

m maximilianbianco at gmail.com
Tue Mar 31 15:00:34 UTC 2009

Bill Crawford wrote:
> On Monday 30 March 2009 20:12:45 Bruno Wolff III wrote:
>> On Mon, Mar 30, 2009 at 13:46:02 -0400,
>>   Todd Denniston <Todd.Denniston at ssa.crane.navy.mil> wrote:
>>> i.e., sure all the root CA's that the browser producers want to include
>>> can come in, but they should have trust DBs that allow each user to tick:
>>> * Never trust this key. (and by extension anything it has signed. Perhaps
>>> with a pop up indicating 'the sig is ok, according to bla, but bla is a
>>> known idiot.')
>>> * Marginal trust. (pop up something saying 'the sig is ok, according to
>>> bla, but you are uncomfortable with bla.')
>>> * Fully trust. (operate as CA's in web browsers since they started
>>> getting CA's.)
>>> And by default (as released by the browser producers) the keys should be
>>> set to either Never or Marginal.
>> I'd rather see more of a web of trust type model. Right now you can only
>> have one chain of certificates. So you can't have a cert signed by multiple
>> roots.
> Ought to be possible for people to visit companies' offices and sign their keys, 
> and add them to the "web of trust" as per PGP / GPG keys. No idea if / how that 
> should be done, in practice, though.
Difficult at best, who wants to trust a faceless corporation? Not to be 
cynical but you might trust the receptionist but what about the IT dept? 
Are they competent? Money is no guarantee of anything, in fact the 
larger the company the more likely they will let something slip through 
the cracks. Companies all say they are secure and trustworthy, but who 
is hiring these people? Are their background checks? Should there be? 
Probably they outsource that and then you have to see if you can trust 
that company too. The main problem is that so much gets outsourced so 
dept head A doesn't have to worry about it but who is checking that this 
other company is doing it right? Its an endless cycle of paranoia.

"Any fool can know. The point is to understand" --Albert Einstein



More information about the users mailing list