[Cryptography] Follow up on my password replacement idea

Ray Dillinger bear at sonic.net
Wed Sep 23 19:29:36 EDT 2015 


On 09/23/2015 02:37 PM, Bill Frantz wrote:
> On 9/23/15 at 1:04 PM, bear at sonic.net (Ray Dillinger) wrote:
> 
>> As far as I can see trust relationships are binary.  ...
> 
> Trust relationships are much more complex that just binary. When my
> lawyer introduces me to his paralegal, I automatically assign the same
> level of trust to her that I have in him. Ont of the new items of trust
> is I trust her to know when to kick things upstairs to him.

The difference is that you have a genuine trust relationship with
the lawyer in the first place and you evaluate his introduction in
the context of that trust relationship.

Just to pick one at random from my browser, I have absolutely no idea
who "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı" is.  I have no
reason to trust them.  No trust relationship whatsoever.  And yet my
browser is configured to accept their word that people are trustworthy.

Supposedly because I trusted the people who make Firefox to make the
introductions to CA's, but get serious.  There's a big difference
between "default configuration of ubiquitous software" and "actually
has a reason to trust."

My point is that trust is flowing the wrong way.  I have a reason
of long business experience, FDIC regulation, federal oversight,
personal  experience and contractual liability, etc, to trust my
banker.  If my banker introduced a CA, then I would consider myself
to have some reason to suspect that that particular CA isn't bogus.

Now run it the other way.  I have almost no relationship with the
people who make the browser, and that relationship expressly disclaims
all liability and gives me no recourse under contract. Further, they
aren't liable even for a refund because their software is free.
Finally, it's open-source so if they screw it up there isn't even
anybody to sue. That isn't a real trust relationship.  They have no
relationship with "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"
that I'm aware of, beyond having probably exchanged one or two
letters and being afraid that some user somewhere might not be able
to watch a cat video without a certificate from them.  Again, that's
not a real trust relationship.

And on the basis of the word of someone whose relationship with me
isn't contractual and disclaims all liability, I'm accepting the
word of someone whose relationship to them I'm completely ignorant
of but suspect to be minimal or nonexistent, to introduce complete
strangers whom I am supposed to trust for financial transactions.

What am I, crazy?

				Bear



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150923/6953257b/attachment.sig>

More information about the cryptography mailing list