W3C home > Mailing lists > Public > public-credentials@w3.org > August 2021

Rango WoN Re: Public consultation on EU digital principles

From: Henry Story <henry.story@gmail.com>
Date: Mon, 16 Aug 2021 13:37:42 +0200
Message-Id: <8F66988B-39C9-4278-8786-800BCE554AA7@gmail.com>
Cc: Chris Gough <chris.gough@gosource.com.au>, Steve Capell <steve.capell@gmail.com>, daniel.hardman@gmail.com, Bob Wyman <bob@wyman.us>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
To: David Chadwick <d.w.chadwick@verifiablecredentials.info>


> On 16. Aug 2021, at 12:14, David Chadwick <d.w.chadwick@verifiablecredentials.info> wrote:
> 
> On 16/08/2021 08:46, Henry Story wrote:
>> This is nearly completely overseen because of the poverty of information in 
>> existing X509 certificates! Humans can make trust decisions, but not with
>> at minimum a name, or at most a static text address.
>> 
> This was the case 10 years ago, but with DV PKCs you know that your browser is connecting securely to the web site that owns the DNS name in the PKC that you are connecting to. That provides more trust than was originally the case.
> 
> With EV PKCs in addition you know that the owner of the web site is a registered company with the specified name and that they physically exist. So that provides an increased level of trust. If the name is one you recognise then you can trust that your browser is talking to the company that you know.
> 
> So things have improved. They are not yet perfect, but they are not as bad as you imply

No, that is exactly as bad as I was trying to imply :-)

I have thought about this issue for over 10 years, having started
building decentralised Web of trust using X509 client 
certificates ( https://webid.info/ ).

I have pictures from Web Site certificates in the browser in this blog post
”Stopping (https) phishing” from 2018, where I argue carefully that knowing 
the name and address of an entity is no-where near enough.

That is: in order for people to distinguish between 
https://facebook.com.trust.me/ and the real thing
they need to see all the URL in the browser bar. 
But those are often partially hidden, and the information
in the certificate is sooooooooooo uninteresting that only
a security geek like everyone on this list would bother
to look at it, and only if paid to do so. 

Consider: You don’t have to pay people to watch Hollywood movies! They
pay to go and watch them!

I don’t intend to say that certificates have to be as entertaining
as Rango which I just watched recently with my kids,
   ( https://www.imdb.com/title/tt1192628/ )
but it has to be more than a little piece of text with an 
address sonewhere in the world. This is what you get now:



What you want is a window opening up with rich 
live information: shop opening hours perhaps, but
possibly scandals, bankruptcy, or phenomenal growth stories!
A map of the world showing where the company is located.
Local news over there perhaps.  

Ok. That’s exaggerating, but it’s just to help make the point
about how far one is from something people want to look at.
And that is not the poor browser UI designers’ fault!
Some tried really hard. But there is (nearly) nothing they 
can do with the poverty of information available in a certificate.

Of course such up to date information cannot be gathered just
in a certificate. But the info from the certificate could be
updated with a lot more information, from Companies House for
example, your trusted police, or ....

A lot of room for brainstorming  and creativity is possible there. 

Henry


> 
> Kind regards
> 
> David
> 


1_h46VG_cnxIKL5rgpHHNS7w.png
(image/png attachment: 1_h46VG_cnxIKL5rgpHHNS7w.png)

Received on Monday, 16 August 2021 11:37:58 UTC

This archive was generated by hypermail 2.4.0 : Monday, 16 August 2021 11:38:01 UTC