- From: Nico Williams <nico@cryptonector.com>
- Date: Mon, 30 Apr 2012 12:31:24 -0500
- To: Henry Story <henry.story@bblfish.net>
- Cc: "tls@ietf.org List" <tls@ietf.org>, public-webid <public-webid@w3.org>
On Mon, Apr 30, 2012 at 11:46 AM, Henry Story <henry.story@bblfish.net> wrote: > TLS currently helps one know that when opens a connection to a service (domain:port pair) > one is actually connected to the machine that officially owns that domain. It does not > give one the big picture of what kind of entity one is actually connected to: > ie. it does not answer the following questions: > > - is this a legal entity? > - which country is it based in (or which legal framework is it responsible to) > - who are the owners > - what kind of organisation is it? (individual, bank, commerce, school, university, charity...) There are not things I've cared much about in the brick and mortar world because those things are implied. It's... difficult to put up a fake bank, with fake tellers, advertisement, and so on. Not so difficult to put up or hack hole-in-the-wall ATMs, but then I don't use hole-in-the-wall ATMs. In the off-line world this approach pervades. Now, it is true that I care about track records (e.g., when making investments), but I've never asked "who are the owners?", except for small restaurants/shops that I like and where knowing the owners is social benefit. I've also not asked "is this a legal entity". Maybe I'm just naive? When I see a doctor I see diplomas on their office walls, but I don't go double checking them. And so on. In the on-line world some of these questions are more interesting, but only because trust is harder to establish. And anyways, we don't get answers to these questions on-line, not most users anyways. The trick is to get domain names to reflect the same things that brick and mortar sites do. > In a recent talk I gave at the European Identity conference in Biel, Switzerland, I looked > at how this extra information could be made available by using WebID and Linked Data, published > by official entities in ways that gave those documents legal weight. This would not be technically > very difficult to do, but would provide huge benefits to the web. It could increase trust > in the way people use the web, and it could enable commerce in a much broader way that hitherto > found on the web. No matter what we're still talking about how to establish trust. That's the hard part. How do I trust that such and such corporation owns some website? I have to know who is making that statement, and for that I must authenticate them, and I've to decide if they can make that statement authoritatively, and whether I trust them (even if I can authenticate them). Assuming the TLS server PKI works then you're right, this is simple to add as a *protocol*. Though you'd still need to get someone to do the vouching: it won't be governments, since there are some many ones that are authoritative at some level that users could not really authorize them to make these statements, so it has to be some commercial operation, or a national-level agency. That sounds so difficult to pull off, and likely to provide so little value that I don't think it can happen. But on a smaller scale it could happen, and, indeed, it does already. What I have in mind is federations of like companies. Sites like Amazon, eBay, and Yahoo! already have, effectively, federations of vendors. I'd like to see a federation of banks. Nico --
Received on Monday, 30 April 2012 17:31:49 UTC