bkfsec wrote: > Frankly, the whole "web of trust" is > a flawed idea. "Because A trusts > B, and B trusts C, then A can (must?) > trust C" is, excuse the lack of > civility, utter bullshit. > > I trust my friends, it doesn't mean > that I trust their friends.
You're applying the sick-and-stupid-Verisign-monopoly-business-strategy version of the 'web of trust' idea to all webs of trust, and that's incorrect. Verisign is guilty of fraud in even suggesting that the CA (and the SSL certs it issues) does anything at all other than what you describe -- but don't throw the web of trust baby out with Verisign's dirty business bathwater. The 'security' problem that a proper 'web of trust' solves nicely is the one in which particular entities are associated with individual public keys. There is no especially good way, aside from a properly-implemented web of trust, for many-to-many reliable distributed discovery of the public key-to-entity mapping that is most probably accurate because it is the correlation that your trusted associates assure you they have successfully relied on in the past to engage in communication with the party they believe to be the owner of a particular public key. SSL does not implement any reasonable trust mechanism today because Verisign dumbed it down in order to create a universal mechanism to tax the Internet. Best, Jason Coombs [EMAIL PROTECTED]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
