Re: HTTP AUTH BASIC monowall

["Jason Coombs" <jasonc () science org>]

bkfsec wrote:
> Frankly, the whole "web of trust" is
> a flawed idea.  "Because A trusts
> B, and B trusts C, then A can (must?)
> trust C" is, excuse the lack of 
> civility, utter bullshit. 
>
> I trust my friends, it doesn't mean
> that I trust their friends.

You're applying the sick-and-stupid-Verisign-monopoly-business-strategy version of the 'web of trust' idea to all webs 
of trust, and that's incorrect.

Verisign is guilty of fraud in even suggesting that the CA (and the SSL certs it issues) does anything at all other 
than what you describe -- but don't throw the web of trust baby out with Verisign's dirty business bathwater.

The 'security' problem that a proper 'web of trust' solves nicely is the one in which particular entities are 
associated with individual public keys. There is no especially good way, aside from a properly-implemented web of 
trust, for many-to-many reliable distributed discovery of the public key-to-entity mapping that is most probably 
accurate because it is the correlation that your trusted associates assure you they have successfully relied on in the 
past to engage in communication with the party they believe to be the owner of a particular public key.

SSL does not implement any reasonable trust mechanism today because Verisign dumbed it down in order to create a 
universal mechanism to tax the Internet.

Best,

Jason Coombs
jasonc () science org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/