Re: HTTP AUTH BASIC monowall

[bkfsec <bkfsec () sdf lonestar org>]

Tim wrote:

> I think you are lumping several types of trust into one.  (Though please
> correct me if I'm wrong.)
>  
My discussion was meant solely to discuss the "web of trust" as it 
relates to SSL Cert Authorities, which was the scope of my message.  I 
wouldn't refer to the PGP "web of trust" as having the same issues 
because, as you accurately point out, the two methods of trust are 
different.

And, again, as you accurately point out, the reason why SSL cert trust 
is flawed is the distinction of "forced trust"... meaning that in the 
SSL cert game, you have to trust the CAs.... whereas in PGP trust you're 
actually trusting someone you know and deciding on trust in a more 
granular fashion.

> So, I argue the two-parameter, trust-degrading system OpenPGP uses fails
> much more gracefully than SSL's PKI.  I can ultimately trust that your
> key is really yours, but I don't have to trust that you'll properly
> verify others' keys.  As we follow the transitive chain of trust, the
> trust decreases.
>  
And I would agree with you completely.

> People really do operate in webs like this.  Obviously verifying
> identities yourself is safer, but if your buddy tells you someone is
> legit, you will likely trust that at least a little (and with PGP, you
> can trust that referral as much or little as you like, without telling
> your buddy how much you trust him).
>  
Yes, they do... it's where the whole thing becomes automated and 
"submerged" (as it is with SSL) that things become flawed.  Some people 
tend to ratchet the web of trust onto SSL in an attempt to show that it 
is verifiable ("the CAs would NEVER falsely identify an organization 
because then you'd NEVER trust them", etc...) and that's where the 
mistake is made.

There's some truth to the statement that CAs want to avoid falsely 
certifying organizations... but the problem is that people assume that 
they're detectives at verifying business practice and that is not the 
case.  It's just not in the scope of what they do.  They're in the 
business of verifying identity and providing certificates for 
cryptographic usage... no more, no less. :)

> Please tell me how this is worse than all-or-nothing CA trust in SSL.
> (Besides issues with usability.)
>
>  
It's not at all worse... it's just that people apply the wrong level of 
consideration to certificates sometimes and this ends with the result of 
giving people a false sense of security when they see that little 
padlock at the bottom of their screen.

Don't get me wrong, there's obvious value in the certificate system.  
Because I waxed philosophical about webs of trust doesn't mean I want to 
throw the baby out with the bathwater.  :)

            -bkfsec


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/