- From: Henry Story <henry.story@gmail.com>
- Date: Mon, 16 Aug 2021 13:37:42 +0200
- To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
- Cc: Chris Gough <chris.gough@gosource.com.au>, Steve Capell <steve.capell@gmail.com>, daniel.hardman@gmail.com, Bob Wyman <bob@wyman.us>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-Id: <8F66988B-39C9-4278-8786-800BCE554AA7@gmail.com>
> On 16. Aug 2021, at 12:14, David Chadwick <d.w.chadwick@verifiablecredentials.info> wrote: > > On 16/08/2021 08:46, Henry Story wrote: >> This is nearly completely overseen because of the poverty of information in >> existing X509 certificates! Humans can make trust decisions, but not with >> at minimum a name, or at most a static text address. >> > This was the case 10 years ago, but with DV PKCs you know that your browser is connecting securely to the web site that owns the DNS name in the PKC that you are connecting to. That provides more trust than was originally the case. > > With EV PKCs in addition you know that the owner of the web site is a registered company with the specified name and that they physically exist. So that provides an increased level of trust. If the name is one you recognise then you can trust that your browser is talking to the company that you know. > > So things have improved. They are not yet perfect, but they are not as bad as you imply No, that is exactly as bad as I was trying to imply :-) I have thought about this issue for over 10 years, having started building decentralised Web of trust using X509 client certificates ( https://webid.info/ ). I have pictures from Web Site certificates in the browser in this blog post ”Stopping (https) phishing” from 2018, where I argue carefully that knowing the name and address of an entity is no-where near enough. That is: in order for people to distinguish between https://facebook.com.trust.me/ and the real thing they need to see all the URL in the browser bar. But those are often partially hidden, and the information in the certificate is sooooooooooo uninteresting that only a security geek like everyone on this list would bother to look at it, and only if paid to do so. Consider: You don’t have to pay people to watch Hollywood movies! They pay to go and watch them! I don’t intend to say that certificates have to be as entertaining as Rango which I just watched recently with my kids, ( https://www.imdb.com/title/tt1192628/ ) but it has to be more than a little piece of text with an address sonewhere in the world. This is what you get now: What you want is a window opening up with rich live information: shop opening hours perhaps, but possibly scandals, bankruptcy, or phenomenal growth stories! A map of the world showing where the company is located. Local news over there perhaps. Ok. That’s exaggerating, but it’s just to help make the point about how far one is from something people want to look at. And that is not the poor browser UI designers’ fault! Some tried really hard. But there is (nearly) nothing they can do with the poverty of information available in a certificate. Of course such up to date information cannot be gathered just in a certificate. But the info from the certificate could be updated with a lot more information, from Companies House for example, your trusted police, or .... A lot of room for brainstorming and creativity is possible there. Henry > > Kind regards > > David >
Attachments
- text/html attachment: stored
- image/png attachment: 1_h46VG_cnxIKL5rgpHHNS7w.png
Received on Monday, 16 August 2021 11:37:58 UTC