[Cryptography] Anonymous rendezvous (was Business opportunities in crypto)

Jerry Leichter leichter at lrw.com
Wed May 5 12:04:10 EDT 2021 

> If you buy physical stuff on the basis of NewEgg reviews, you will make pretty good buys.
> 
> NewEgg has meta reputation for good curation of reviews, and reviews on NewEgg have reputation by being on NewEgg.
So NewEgg is a trusted third party:  I believe the reviews because NewEgg curates them, and I believe that NewEgg does a good (and, importantly) honest job.  OK.

> What curation do CAs do? Having CA authorities in the middle does not make the connection to the real world
> better, it makes it worse.
If you ask them, they check that someone claiming to be newegg.com <http://newegg.com/> really *is* newegg.com <http://newegg.com/>.  Oh, they let a whole bunch of fakers through - and of course they accept zero liability when you rely on them?  You shouldn't trust just ordinary certs - you should look for those special EV certs for which they charge a whole bunch extra - and still accept no liability.  (Is anyone really still buying EV certs?  It occurs to me that I haven't seen the green outline in quite some time.)

In any case, whatever curation they do (and there is *some* - several CA's have been blacklisted by the major browser makers for not doing their jobs right) seems to be accepted by most people in most circumstances.  And for the most part, it works.  It's only those of us who are in the biz who realize just how fragile all this is.

> If NewEgg and its reviewers were strongly pseudonymous, and their product links were hashes to immutable data or a third party signature to mutable data, it would work even better.
Realistically ... in what way?  Would it be more convenient?  Easier for NewEgg too curate?  What kinds of attacks, mounted by whom, would these prevent?  Who would profit enough from mounting such attacks to make it worthwhile to do so?

Note that sellers on Amazon have allegedly actually bought their own products so that they could (a) pump up the numbers; (b) appear as legitimate reviewers of those actual products.  Would your proposals do anything to prevent this?

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210505/93a31672/attachment.htm>

More information about the cryptography mailing list