[Cryptography] Verisimilitrust

[Bill Frantz]

On 1/13/16 at 3:32 PM, bear at sonic.net (Ray Dillinger) wrote:

>So, what's the payoff to overcome these limitations? What worthwhile
>applications do we need another public key infrastructure for?  What
>is the trust model and how can we avoid the mistakes of setting up a
>business model that doesn't follow it?  And what requirements does
>it have beyond or different from the X.509 PKI?

The basic trust model used to implement capabilities in Waterken 
and E, to name two systems off the top of my head, is useful. 
They use references (ala URLs) which identify the receiver of 
the connection (aka server) and a secret which represents a 
resource on that server. E has a hash of the public key of the 
server and the secret number. I think Waterken is using TLS and 
its trust model.

With the public key, or its hash, there is no PKI to speak of. 
The trust model is that you trust the place you got the URL, 
which includes the ones you generate yourself. Since you have 
assurance you are contacting the same place over and over, you 
can develop trust based on behavior.

I think modern versions of TLS can be made to use a similar 
method of trusting the other end, although it is much less 
commonly used than it should be.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | The first thing you need when  | Periwinkle
(408)356-8506      | using a perimeter defense is a | 16345 
Englewood Ave
www.pwpconsult.com | perimeter.                     | Los Gatos, 
CA 95032