- From: Henry Story <henry.story@bblfish.net>
- Date: Mon, 30 Apr 2012 21:24:08 +0200
- To: Nico Williams <nico@cryptonector.com>
- Cc: "tls@ietf.org List" <tls@ietf.org>, public-webid <public-webid@w3.org>
On 30 Apr 2012, at 19:31, Nico Williams wrote: > On Mon, Apr 30, 2012 at 11:46 AM, Henry Story <henry.story@bblfish.net> wrote: >> TLS currently helps one know that when opens a connection to a service (domain:port pair) >> one is actually connected to the machine that officially owns that domain. It does not >> give one the big picture of what kind of entity one is actually connected to: >> ie. it does not answer the following questions: >> >> - is this a legal entity? >> - which country is it based in (or which legal framework is it responsible to) >> - who are the owners >> - what kind of organisation is it? (individual, bank, commerce, school, university, charity...) > > There are not things I've cared much about in the brick and mortar > world because those things are implied. It's... difficult to put up a > fake bank, with fake tellers, advertisement, and so on. Not so > difficult to put up or hack hole-in-the-wall ATMs, but then I don't > use hole-in-the-wall ATMs. In the off-line world this approach > pervades. Now, it is true that I care about track records (e.g., when > making investments), but I've never asked "who are the owners?", > except for small restaurants/shops that I like and where knowing the > owners is social benefit. I've also not asked "is this a legal > entity". Maybe I'm just naive? When I see a doctor I see diplomas on > their office walls, but I don't go double checking them. And so on. exactly. That may have been a better way to introduce the subject in the presentation! > In the on-line world some of these questions are more interesting, but > only because trust is harder to establish. And anyways, we don't get > answers to these questions on-line, not most users anyways. The trick > is to get domain names to reflect the same things that brick and > mortar sites do. yes, but a domain name can be reached by clicking a page that is not behind https, and so a man in the middle attack could have changed the originating link, even if it came from a trusted source. Also with people typing in urls it is easy to make a spelling mistake that a clever domain hacker could have bought. Finally there are many online businesses that are perhaps very reliable - a small swiss watch maker for example - which don't have the marketing power to make us all remember their name. The linked data web could help here. Browsers could use the background "institution web" graph to help users identify the site they are on. If browsers don't do that other companies could provide widgets or browser plugins to fill the gap. > >> In a recent talk I gave at the European Identity conference in Biel, Switzerland, I looked >> at how this extra information could be made available by using WebID and Linked Data, published >> by official entities in ways that gave those documents legal weight. This would not be technically >> very difficult to do, but would provide huge benefits to the web. It could increase trust >> in the way people use the web, and it could enable commerce in a much broader way that hitherto >> found on the web. > > No matter what we're still talking about how to establish trust. > That's the hard part. How do I trust that such and such corporation > owns some website? I have to know who is making that statement, and > for that I must authenticate them, and I've to decide if they can make > that statement authoritatively, and whether I trust them (even if I > can authenticate them). yes. All businesses tend to be registered somewhere: be it either with the local authority, or with some tax office, or with the stock exchange,... > > Assuming the TLS server PKI works then you're right, this is simple to > add as a *protocol*. Though you'd still need to get someone to do the > vouching: it won't be governments, since there are some many ones that > are authoritative at some level that users could not really authorize > them to make these statements, so it has to be some commercial > operation, or a national-level agency. yes. > That sounds so difficult to pull off, and likely to provide so little > value that I don't think it can happen. I think the value is quite big in fact, and it would not be that difficult to do technically. Getting all of these institutions to coordinate would be more difficult to do I agree, and one would have to start somewhere where the value and the will is there: perhaps the stock exchanges or banks. In my presentation I illustrate the idea with banks. How it gets going in actual fact is of course wide open. It would be something one could run some fruitful test cases to see what is required. > > But on a smaller scale it could happen, and, indeed, it does already. > What I have in mind is federations of like companies. Sites like > Amazon, eBay, and Yahoo! already have, effectively, federations of > vendors. I'd like to see a federation of banks. Yes. That's the example I used. In Switzerland it was suggested that companies such as Swatch that have a lot of resellers that are always changing might also have a need for something like this. This is why I think that attacking this from both the social networking side and the more formal institutional side is useful. The institutional side helps people see how trust can work in a distributed manner - it always has. It is just that we tend to think of governments as central agencies, whereas in reality they are distributed: each state is a peer in the social network of states. I'd be happy to work with some organisations that are interested in trying this out. Henry > > Nico > -- Social Web Architect http://bblfish.net/
Received on Monday, 30 April 2012 19:24:42 UTC