[Cryptography] How to build trust in crypto
Ralf Senderek
crypto at senderek.ie
Mon Mar 17 10:42:38 EDT 2014
Sun Mar 16 19:42:24 EDT 2014 Guido Witmont wrote:
> That's the essence of Eccentric Authentication, my protocol to
> implement all of this.
...
> Feel free to take shots at my approach. I'd like to get feedback on
> how far I get with this competition.
Guido, I think the clear outline of your proposal makes it a valuable
contribution to the competition as we can now figure out what it would
take to implement your steps.
One of you key points is the role your/our blog/web site plays in
preparing the ground for the trusted channel between two site users.
As I see it, there is an important element missing, which is context.
With a few messages signed on your blogsite, all I have is a public
key but no context about the individual behind it. Can I trust the
public key? I don't know, because of a lack of context.
Bruce Schneier's new PGP key (EDACEA67) has only one signature, it's
self-signed. If I found some meaningless comment or blog post signed
with EDACEA67 at myblogsite, I would not trust this pubkey to secure
a meaningful, secure contact to Bruce. It is the context in which
the key appears, Bruce's website, that induces trust even if he
deliberately abstains from using any kind of PKI.
Your focus obviously is on anonymity, but I think that in avoiding
context, we don't get trust. The introduction of your website as an
intermediary should not just be used as a technical match-maker, it
should also be able to reliably tie context information to the public
keys you are using as identities.
--ralf
More information about the cryptography
mailing list