[Cryptography] Verisimilitrust

Ray Dillinger bear at sonic.net
Sun Jan 17 14:25:29 EST 2016 


On 01/16/2016 04:18 PM, Arnold Reinhold wrote:
> On Wed, 13 Jan 2016 15:32 Ray Dillinger asked:

>>  What
>> is the trust model and how can we avoid the mistakes of setting up a
>> business model that doesn't follow it?  And what requirements does
>> it have beyond or different from the X.509 PKI?
>>
>> In short, where is the new work that we still need to do?
>>
> 
> Top of my list would be a standard way to get or verify certificates via QR-codes. Consumers are already familiar with them. Coupled with certificate pinning, this would allow the whole CA mess to be bypassed in many important cases, such as banking, health care and email. Most people have periodic out-of-band contact with their banks, visiting offices, ATM machine kiosks, or getting written statements. Health care usually entails in-person contact. Scanning a QRcode on the wall or in the printed statement letterhead would allow a direct establishment of trust. Email trust could be established when exchanging business cards at first contact, and so on.  Banks and others might even get into the business of verifying certificates for business and individuals that have accounts with them, perhaps for a fee. 


This ... is ... brilliant.  Establishing trust in person at the
place of business, by scanning it off the wall.  Totes simple,
people will get it.  Add certificate pinning, and you get keys
that matter into consumers' devices and (with sync) home
computers.  The beauty of this is that it's out of band to the
Internet itself.  It's authenticated by physical presence in a
space controlled by the securing party.

There are a lot of things it doesn't cover, of course; folks never
actually go to an Amazon storefront. But ... Banks.  Attorneys.
Accountants.  Health-care providers.  Brick-and-mortar merchants.
This handles a bunch of really important auth problems.

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160117/c500fc24/attachment.sig>

More information about the cryptography mailing list