Full Disclosure mailing list archives

Re: HTTP AUTH BASIC monowall

From: Tim <tim-security () sentinelchicken org>
Date: Thu, 16 Mar 2006 18:25:38 -0500

Frankly, the whole "web of trust" is a flawed idea.  "Because A trusts 
B, and B trusts C, then A can (must?) trust C" is, excuse the lack of 
civility, utter bullshit. 

I trust my friends, it doesn't mean that I trust their friends.  In this 
case, it's even more flawed because we're not talking about trusting a 
friend of a friend... we're talking about trusting people that our 
friends have met on the street... and that's it.



I think you are lumping several types of trust into one.  (Though please
correct me if I'm wrong.)

In PGP's web of trust (which is by no means perfect), one can specify
two types of trust: how much we trust a person is who they say they are,
and how much we trust a person to properly verify the identities of
others.

These two types of trust have nothing to do with how these people
behave.  Will they try to screw us?  Spam us?  Who knows.  That's not
the point, the point in these systems is to identify people.  The
easiest way to do that is to tie their keys to something more difficult
to change in the real world (driver's license, etc).


So, I argue the two-parameter, trust-degrading system OpenPGP uses fails
much more gracefully than SSL's PKI.  I can ultimately trust that your
key is really yours, but I don't have to trust that you'll properly
verify others' keys.  As we follow the transitive chain of trust, the
trust decreases.

People really do operate in webs like this.  Obviously verifying
identities yourself is safer, but if your buddy tells you someone is
legit, you will likely trust that at least a little (and with PGP, you
can trust that referral as much or little as you like, without telling
your buddy how much you trust him).

Please tell me how this is worse than all-or-nothing CA trust in SSL.
(Besides issues with usability.)

cheers,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
  - Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
    - Re: HTTP AUTH BASIC monowall Tim (Mar 16)
    - Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
    - Re: HTTP AUTH BASIC monowall Tim (Mar 17)
    - Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
  - Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
    - Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
    - Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
    - Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- <Possible follow-ups>
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
  - Re: HTTP AUTH BASIC monowall Dave Korn (Mar 17)