Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 16 Mar 2006 18:25:38 -0500
Frankly, the whole "web of trust" is a flawed idea. "Because A trusts B, and B trusts C, then A can (must?) trust C" is, excuse the lack of civility, utter bullshit. I trust my friends, it doesn't mean that I trust their friends. In this case, it's even more flawed because we're not talking about trusting a friend of a friend... we're talking about trusting people that our friends have met on the street... and that's it.
I think you are lumping several types of trust into one. (Though please correct me if I'm wrong.) In PGP's web of trust (which is by no means perfect), one can specify two types of trust: how much we trust a person is who they say they are, and how much we trust a person to properly verify the identities of others. These two types of trust have nothing to do with how these people behave. Will they try to screw us? Spam us? Who knows. That's not the point, the point in these systems is to identify people. The easiest way to do that is to tie their keys to something more difficult to change in the real world (driver's license, etc). So, I argue the two-parameter, trust-degrading system OpenPGP uses fails much more gracefully than SSL's PKI. I can ultimately trust that your key is really yours, but I don't have to trust that you'll properly verify others' keys. As we follow the transitive chain of trust, the trust decreases. People really do operate in webs like this. Obviously verifying identities yourself is safer, but if your buddy tells you someone is legit, you will likely trust that at least a little (and with PGP, you can trust that referral as much or little as you like, without telling your buddy how much you trust him). Please tell me how this is worse than all-or-nothing CA trust in SSL. (Besides issues with usability.) cheers, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
- Re: HTTP AUTH BASIC monowall Tim (Mar 17)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- <Possible follow-ups>
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Dave Korn (Mar 17)