Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall
From: bkfsec <bkfsec () sdf lonestar org>
Date: Fri, 17 Mar 2006 10:24:59 -0500
Tim wrote:
My discussion was meant solely to discuss the "web of trust" as it relates to SSL Cert Authorities, which was the scope of my message. I wouldn't refer to the PGP "web of trust" as having the same issues because, as you accurately point out, the two methods of trust are different.I think you are lumping several types of trust into one. (Though please correct me if I'm wrong.)
And, again, as you accurately point out, the reason why SSL cert trust is flawed is the distinction of "forced trust"... meaning that in the SSL cert game, you have to trust the CAs.... whereas in PGP trust you're actually trusting someone you know and deciding on trust in a more granular fashion.
So, I argue the two-parameter, trust-degrading system OpenPGP uses fails much more gracefully than SSL's PKI. I can ultimately trust that your key is really yours, but I don't have to trust that you'll properly verify others' keys. As we follow the transitive chain of trust, the trust decreases.
And I would agree with you completely.
Yes, they do... it's where the whole thing becomes automated and "submerged" (as it is with SSL) that things become flawed. Some people tend to ratchet the web of trust onto SSL in an attempt to show that it is verifiable ("the CAs would NEVER falsely identify an organization because then you'd NEVER trust them", etc...) and that's where the mistake is made.People really do operate in webs like this. Obviously verifying identities yourself is safer, but if your buddy tells you someone is legit, you will likely trust that at least a little (and with PGP, you can trust that referral as much or little as you like, without telling your buddy how much you trust him).
There's some truth to the statement that CAs want to avoid falsely certifying organizations... but the problem is that people assume that they're detectives at verifying business practice and that is not the case. It's just not in the scope of what they do. They're in the business of verifying identity and providing certificates for cryptographic usage... no more, no less. :)
It's not at all worse... it's just that people apply the wrong level of consideration to certificates sometimes and this ends with the result of giving people a false sense of security when they see that little padlock at the bottom of their screen.Please tell me how this is worse than all-or-nothing CA trust in SSL. (Besides issues with usability.)
Don't get me wrong, there's obvious value in the certificate system. Because I waxed philosophical about webs of trust doesn't mean I want to throw the baby out with the bathwater. :)
-bkfsec _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
- Re: HTTP AUTH BASIC monowall Tim (Mar 17)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- <Possible follow-ups>
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Dave Korn (Mar 17)