On 2014-04-28, at 5:00 PM, James A. Donald <jam...@echeque.com> wrote:
> Cannot outsource trust Ann usually knows more about Bob than a distant > authority does. So should Ann verify the fingerprints of Amazon, and Paypal herself? How do you see that working assuming that Ann is an “ordinary user”? This is exactly the kind of thing I was complaining about in my earlier comment. There are burdens that we cannot push onto the user. People do trust their browsers and OSes to maintain a list of trustworthy CAs. Sure, we might have the occasional case where some people manually remove or add a CA. But for the most part, we’ve outsourced trust to the browser vendors, how have outsourced trust to various CAs, etc. I am not saying that the system isn’t fraught with series problems. I’m saying that at least it tries to work for ordinary users. > A certificate authority does not certify that Bob is trustworthy, but that > his name is Bob. Yes, of course. Back in the before time (1990s), I had feared that this was going to be a big problem. That people would take the take “trust the authenticity” of a message to be “trust the veracity” of the message. But as it turns out, we haven’t seen a substantially higher proportion of fraud of this nature than in meatspace. I think it is because reputations are now so fragile. Cheers, -j _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
