Re: Fwd: Re: as trustworthy as the hierarchical CA system currently in place...

On 5 March 2012 19:45, <nilclass@riseup.net> wrote:

>
> > --- Begin forwarded message from Henry Story ---
> > From: Henry Story <henry.story@bblfish.net>
> > To: elf Pavlik <perpetual-tripper@wwelves.org>
> > Cc: public-webid <public-webid@w3.org>
> > Date: Mon, 05 Mar 2012 13:25:27 +0000
> > Subject: Re: as trustworthy as the hierarchical CA system currently in
> > place...
> >
> >
> > On 4 Mar 2012, at 18:04, elf Pavlik wrote:
> >
> >> Hello,
> >>
> >> After pointing my friend to WebID, he have shared this comment (original
> >> linked later):
> >>
> >> "After reading the WebID specification once again, I'm not so sure
> >> anymore, whether I would want to use it.
> >>
> >> As described in section 2.2, the public key is published via the WebID
> >> Profile, which is basically a FOAF profile. While section 3.4.2 does
> >> note that "An HTTPS WebID will therefore be a lot more trustworthy than
> >> an HTTP WebID by a factor of the likelihood of man in the middle
> >> attacks", however the whole system is only as trustworthy as the
> >> hierarchical CA system currently in place.
> >>
> >> How can a web-of-trust be useful, if all the trust is based on a trust
> >> system that has been shown to be untrustworthy for more than a decade?"
> >>
> >> https://heahdk.net/~nil/news/0005-webid-revisited
> >
> > Security is like knowledge: it is a modal notion which like knowledge
> > comes in degrees. There is
> > no such thing as absolute security, and no such thing as absolute
> > certainty. This does not mean
> > that there is no such thing as knowledge. Read Robert Nozick's section on
> > knowledge in his Philosophical
> > Explanations, for a good modal analysis [1]
>
> True.
>
> >
> > So we are pragmatic and working with the current CA system which has its
> > limitations, but allows us to get
> > off the ground. The TLS system can be improved in a number of ways, as
> > work by IETF Dane group is  [2]
> > is showing or other projects we mentioned on this list (pointers?) where
> > people are setting up services
> > to verify self signed certificates. One can then go even further and
> > develop naming systems that don't rely on
> > DNS, but they fall into Zooko's triangle, and are no longer readable. So
> > we are here interested in getting
> > the basic piece working. Improvemetns can then come in many different
> > ways.
>
> I understand the pragmatism and welcome it. Thanks for pointing out the
> Dane group, I will start reading there. But I did (and do) think that it
> should be made clear, that the knowledge that you have about the
> authenticity of a peer after authenticating via WebID is only as likely to
> be true, as the whole chain of authentication leading to the conclusion of
> that knowledge is likely to be compromised. As with the CA system it is
> hard for a regular user to achieve any knowledge about the likelyhood of
> that happening, as the closest link in the chain - the certificate issuer
> - is usually already a company to which the person doesn't have a personal
> relationship. Beyond that, there are more more or less anonymous
> companies. The only information on those, that knowledge can be built upon
> is public opinion, PR campaigns and a generic belief in righteousness.
> But I am don't have any alternative to present right now, so I should
> probably stop whining. Anyway, I like the effort of WebID in general and
> will start reading this list now.
>

What about?

http://convergence.io/

Ultimately you control which companies you trust, it's just that 99.999% of
people go with the default settings ....


>
> '()
>
> >
> >   Henry
> >
> >
> >
> > [1] https://blogs.oracle.com/bblfish/entry/the_fifth_dimension
> > [2] http://tools.ietf.org/wg/dane/
> >
> >>
> >> Any references to previous discussion on this issue?
> >> Thanks!
> >> ~ elf Pavlik ~
> >>
> >
> > Social Web Architect
> > http://bblfish.net/
> > --- End forwarded message ---
> >
>
>
>
>
>