nanog mailing list archives
Re: The state-level attack on the SSL CA security model
From: Ariel Biener <ariel () post tau ac il>
Date: Sat, 26 Mar 2011 21:33:55 +0200
On 25/03/2011 6:45 PM, Valdis.Kletnieks () vt edu wrote:
On Fri, 25 Mar 2011 09:19:52 PDT, "Akyol, Bora A" said:One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-)Gee thanks. I'm going to have nightmares for *weeks* now... :)
Based on the Facebook model:1. Friends - people among whom are some I most probably never knew before, or some I
would not even say hello to.
2. Trusted friends - people I actually say hello to
I think you'll need "Highly trusted friends" as a 3rd level :)
And that will hold for about 1 month, until people will start banging on
your
"inner circle" virtual door, and soon enough your list of trusted and
highly trusted
friends will start filling up.What does "trusted" mean in this particular case ? There is no one list of criteria for being "trust worthy", and some people are more trusting that others. How would trustworthyness be measured anyhow ? How many people signed your thing, who are also trustworthy themselves (which means that their SIG was also signed by trustworthy people, see the vicious circle). And would people from a certain part of the globe or certain countries be more trust worthy based on their country trustworthyness, or maybe on their culture being more open and trusting ?
If this is to become some kind of global meaningful thing, it needs to be standardized, so it will have the same meaning regardless of where this is applied, and it will have straightforward means
of "measuring" trust. Is there such a standard in place ?Just for an example, we have in Israel a CA that is recognized by the government - they are allowed to issue certificates used for signing documents - and signing with certs issued by this CA is admissible in court under the electronic signatures law. The government has put up a certain standard for what a CA needs to do in order to be recognized as trustworthy. Only one CA in Israel attained this status. Does that mean they are trustworthy to you ? I don't think so. So it can't be a local thing, it needs to be a global thing, and the standard needs to be global and accepted as well.
--Ariel
Current thread:
- Re: The state-level attack on the SSL CA security model, (continued)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 25)
- Re: The state-level attack on the SSL CA security model Crist Clark (Mar 28)
- Re: The state-level attack on the SSL CA security model Florian Weimer (Mar 29)
- Re: The state-level attack on the SSL CA security model Crist Clark (Mar 29)
- RE: The state-level attack on the SSL CA security model Akyol, Bora A (Mar 25)
- Re: The state-level attack on the SSL CA security model Valdis . Kletnieks (Mar 25)
- RE: The state-level attack on the SSL CA security model Akyol, Bora A (Mar 25)
- Re: The state-level attack on the SSL CA security model Dorn Hetzel (Mar 25)
- RE: The state-level attack on the SSL CA security model Akyol, Bora A (Mar 25)
- Re: The state-level attack on the SSL CA security model Valdis . Kletnieks (Mar 25)
- Re: The state-level attack on the SSL CA security model Ariel Biener (Mar 26)
- Re: The state-level attack on the SSL CA security model Martin Millnert (Mar 25)
- Re: The state-level attack on the SSL CA security model Steven Bellovin (Mar 25)
- Re: The state-level attack on the SSL CA security model Joe Sniderman (Mar 25)
- Re: The state-level attack on the SSL CA security model Franck Martin (Mar 25)
- Re: The state-level attack on the SSL CA security model Steven Bellovin (Mar 26)
- Re: The state-level attack on the SSL CA security model Christopher Morrow (Mar 24)
- Re: The state-level attack on the SSL CA security model Leif Nixon (Mar 24)
- Re: The state-level attack on the SSL CA security model Tony Finch (Mar 24)
- Re: The state-level attack on the SSL CA security model Richard Barnes (Mar 24)