On Tue, Oct 22, 2013 at 3:32 PM, Brian E Carpenter <[email protected]> wrote: > On 23/10/2013 04:55, DataPacRat wrote: >> On Mon, Oct 21, 2013 at 4:46 PM, DataPacRat <[email protected]> wrote:
>>> Eg, if I trust my own vCard at a level of 100 decibans, >>> I trust Alice's card at 30, and Alice trusts Bob's card at 40, it's >>> easy to determine that Bob's card should be trusted at somewhere under >>> 30 decibans. (Real situations would be much more complicated, such as >>> with multiple assertion paths; but this is still early days.) > > Excuse my ignorance, but while I have no difficulty understanding > Bayes' Theorem and know who invented decibans, I don't understand how > I can use a trust value that is different from 1 or 0, in practice. > > I won't trust somebody with half my PIN code because they rate 47 decibans. I could suggest that the values be interpreted in terms of LaPlace's Sunrise formula - eg, "there's been 10 reports of the key being used falsely and 500,000 that it's been used successfully: Do you wish to continue?". More usefully, though, I'd suggest that you already go through this process today, with whatever security/privacy procedures you may use, only qualitatively rather than quantitatively. Eg, if something like this is used as a replacement for hierarchical CAs for https transactions, then some practice and experiment would have been done by then to figure out reasonable trust values for any given result. Eg, "Below 0 decibans: Reject. 1-20 decibans: Warn user, show highest trust paths, ask for confirmation. 20+ decibans: Proceed normally." (Smart software would allow users to tweak their own thresholds, with suitable warnings. Even smarter software would use more complicated metrics involving calibrating the trust values reported by each issuer, adding time-based factors, and so on.) To you, as an end user, part of the goal of the infrastructure system here is to fade into the background as much as possible, so that you don't even realize it's there, and generally don't have to worry about it, any more than you have to worry about what makes your browser give a green-light to your bank's website today. Thank you for your time, -- DataPacRat "Then again, I could be wrong." _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
