This is one of the main points I make in the papers: Trustworthiness is always with respect to a specific set of risks. The risks faced by an elderly grandmother surfing the Internet to buy knitting supplies are very different to the risks faced by an opposition member in Iran.
We are never going to achieve perfect security for either our users or ourselves. On Thu, Feb 2, 2012 at 2:44 PM, Daniel Kahn Gillmor <[email protected]> wrote: > On 02/01/2012 08:45 PM, Jon Callas wrote: >> I still claim that we should not go near trustworthiness because I'd rather >> come up with one good solution than several vague ones. The PKI debates of >> fifteen years ago bit off more than they could chew, and that's part of why >> we're here. I think we need to do less before we do more. > > I think there's an underlying tension in this discussion between two > ways of seeing what we're trying to do: > > 0) we're trying to build one global mechanism for peer authentication > that will work automatically for everyone, without any per-user adjustment > > Vs. > > 1) we're trying to build mechanisms for peer authentication that will > allow tools to reflect the decisions and perceptions of trustworthiness > made by their users > > > (0) seems kind of like the holy grail most folks would like to see, and > it would be very cool if things could Just Work like that. But i think > it's a dangerous goal. > > It's dangerous because (0) seems to imply that all users face the same > threats, have the same levels of acceptable risk, and share the same > interests. This just isn't true in the real world, even in the limited > domain of verification of identity assertions. > > If i'm an agent of the Central Council of Orgoreyn, i will be willing to > accept different assertions of identity than if i work for the Imperial > Court in Karhide. I may even have special access to to some identity > certification material that my counterpart in Karhide does not (and vice > versa). And if i'm an independent agent, unaligned (and potentially in > conflict) with both regimes, then my assessment of any particular claim > of identity will be different still. > > Designing a system that assumes all users will be willing to accept a > single global identity authority (or set of identity authorities) > without any reflection of the user's particular circumstances is a > mistake. In particular, it seems likely to make the system be > unreliable for people who are already marginalized, or for people who > are in opposition to powers who have some control over the global > identity authorities. > > So that leaves us with option (1), which has the sticky issue of needing > to gather these personal/idiosyncratic requirements from users and > interpret them into some sort of coherent technical policy. I know we > can't solve those UI issues on this list, but i'd hope that any proposed > solutions will at least consider the need to adjust for the user's > circumstances and propose some kind of reasonably coherent policy > approach to account for those circumstances. > > --dkg > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey -- Website: http://hallambaker.com/ _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
