[Cryptography] Verisimilitrust
Arnold Reinhold
agr at me.com
Sat Jan 16 19:18:46 EST 2016
On Wed, 13 Jan 2016 15:32 Ray Dillinger asked:
...
> So, what's the payoff to overcome these limitations? What worthwhile
> applications do we need another public key infrastructure for? What
> is the trust model and how can we avoid the mistakes of setting up a
> business model that doesn't follow it? And what requirements does
> it have beyond or different from the X.509 PKI?
>
> In short, where is the new work that we still need to do?
>
Top of my list would be a standard way to get or verify certificates via QR-codes. Consumers are already familiar with them. Coupled with certificate pinning, this would allow the whole CA mess to be bypassed in many important cases, such as banking, health care and email. Most people have periodic out-of-band contact with their banks, visiting offices, ATM machine kiosks, or getting written statements. Health care usually entails in-person contact. Scanning a QRcode on the wall or in the printed statement letterhead would allow a direct establishment of trust. Email trust could be established when exchanging business cards at first contact, and so on. Banks and others might even get into the business of verifying certificates for business and individuals that have accounts with them, perhaps for a fee.
Arnold Reinhold
More information about the cryptography
mailing list