Re: Western Union Certificate Error

[JT S <whytehorse () gmail com>]

It wouldn't be that hard to set up an SVN repo with the public key of
someone like google. I could then check it out, take the copy over to
some notary or the company themselves, verify it, sign it, check it
back in. Then google could pull the key nightly and verify it hasn't
been modded, just signed. Someone could make a simple browser plugin
to do all this. Problem solved and no more CAs need be involved. I'm
probably going to switch to firefox+convergenge plugin as it seems to
have some of this already.  As we enter an era when governments are
spying on people without probable cause in order to crack down on
dissent and free speech, I can see no other alternative.

"At this stage of history, one of two things is possible: Either the
general population will take control of its own destiny and will
concern itself with community interests guided by values of solidarity
and sympathy and concern for others, or alternatively there will be no
destiny to control."~Chomsky

On Fri, Sep 9, 2011 at 10:34 PM,  <Valdis.Kletnieks () vt edu> wrote:
> On Fri, 09 Sep 2011 16:23:50 +0700, JT S said:
>
> > revoke. For all I know, anyone who breaks into any CA which is trusted
> > by my browser can issue and sign a cert for any domain and the browser
> > will blindly accept it.
>
> Yep. That's how it works...
>
> > I personally would prefer that the browsers only trust keys that I
> > have signed, have low trust for keys signed by keys I have signed, and
> > no trust for the rest.
>
> Paging Phil Zimmerman....
>
> > I'd really like the ability to walk into western union or my bank or local
> > google office and sign their key as well as the ability to revoke my signature
> > without revoking my key.
>
> A big chunk of the problem there is that although you might *like* that
> ability, it really presupposes the existence of an office you can walk into.
> I've never seen a local Google office, and at least around here, Western
> Union offices are just a terminal at the customer service desk of supermarkets.
>
> There's a second, more subtle problem - if you *did* find an office, what
> exactly are you attesting by signing something?  If you talk to me at a key
> signing party, I'll claim that key B4D3D7B0 is mine - and more importantly, I
> can (at least in theory, if I have my laptop with me) *prove* I control it by
> generating signatures with it.  However, if you walk into a Western Union
> branch office, all the guy can claim is "Yeah, that fingerprint you have for
> our key matches what was on the piece of paper they mailed us last year".
> However, *the guy at the branch is no more able to verify that piece of paper
> than you are*.  He can't prove control of the key by signing something with
> the Western Union key (and if he *could*, that's even *more* scary).
>
> Then there's the third problem - currently, I have *6* keys on my PGP keyring
> that are specifically flagged as "do not trust" because I've found copies of my
> key signed by them when I know for a fact I've never met the person and had
> them verify my key.  Ming you, there's only about a dozen valid signatures on
> my key.  In other words, my personal set of "personally verified as Doing It
> Wrong" is half the size of "people who do it right".  And that's among people
> that are smart enough to use PGP.
>
> What is the meaning of any single given signature (including yours) on a key
> when every Joe Sixpack who doesn't even really understand keysigning is going
> around and signing keys?  What do you do if a key has 3 million signatures,
> but 1M of them are probably bogus?  I won't discuss the question of how you
> maintain a web-of-trust structure with 10M entries in it - the current PGP
> strong set has only about 45K in it at the moment.



-- 
James Snodgrass
(303) 736-9452

CONFIDENTIALITY NOTICE This E-Mail transmission (and/or the documents
accompanying it) is for the sole use of the intended recipient(s) and
may contain information protected by the attorney-client privilege,
the attorney-work-product doctrine or other applicable privileges or
confidentiality laws or regulations. If you are not an intended
recipient, you may not review, use, copy, disclose or distribute this
message or any of the information contained in this message to anyone.
If you are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of this message and any
attachments.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/