Good idea, but don't expect too much

Posted Feb 18, 2010 16:05 UTC (Thu) by drag (subscriber, #31333) [Link]

Yeah.

If you blindly trust a doctor your doing it wrong. If you blindly trust a mechanic your a setting yourself up.

When I need a car worked on I either do it myself if I can manage (oil changes, brake pad changes, etc etc.. things that are easy) or I have very specific couple of shops that I know that are trustworthy. I am willing to put myself in a great deal of inconvenience in order to go to a mechanic I can trust. They are worth their weight in gold and very often carry a premium for their services.

Same thing with Doctors. Don't blindly trust them. Do not believe what they tell you is true, do not trust the drugs they prescribe to you are safe. You look up that stuff on the internet. I mean, seriously, why do experts always recommend for you to get a second opinion on anything that is remotely serious?

Plenty of times doctors have ignored symptoms that ended up killing patients. They prescribe drugs that kill their customers. Anybody with half a brain knows that they have to rely on their own judgment for many things since even if the people they are working with are wonderful and have their best interests in heart they can still make mistakes.

That is the 'Trust But Verify' for doctors.. 'Get a Second Opinion'. That is fundamental requirement. Is it foolproof? NOPE. But it's important. If you have a problem and you get something that sounds funny from your current doctor then you hire a second, unrelated, doctor to get his opinion.

And there are times I've gotten unsafe food from the supermarket. Had stuff go rotten or be rotten in containers even if the date on the packaging says otherwise. I know that different stores are more trustworthy then others and some stores have fresher food or higher quality produce then others.

Hell you can see that in the rise of 'Whole Foods' types stores were they provide higher quality food then the average supermarket. Not all of them are equal.

And on top of that some of the food they sell is not safe to you. Things like IceCream, while a treat, have a very similar effect to a slow poison on the human body. If you blindly choose your foods on what looks good and what tastes good then you're going to end up fat and dead.

So on and so forth. It's not that these people are evil. But it's simply a requirement of a healthy society that it's citizens have a healthy skepticism and be willing to put the effort into understanding what is going on around them.

It's not that you don't trust them. Its that you do what you can, in your limited way, to make sure that you can trust them.

A central authority like Verizon can actually make everything worse. Anybody with some cash can pay to get 'trusted'. It does not matter who. A official government-recorded corporation can be created with as little as 200-300 dollars and a couple signatures. A P.O. box or trustee can be a official address.

They give the illusion that a website is safe, when really you have no idea. That authority can be used to shield and make dishonest people seem legitimate. It's used all the time.

Drug companies use the FDA to make their stuff seem safe, when it really is not. Same thing with food. People trust the FDA to protect them so some dishonest people use that perception against you.

So things like central commercial certificate authorities do not have the ability, desire, or resources to make sure that a website is 'safe'. All the cert means is that the company is legit enough to pay somebody money to sign their cert and that you probably have secure communications with that host. Hell.. they could be completely honest folks, but have some crappy webserver that allows for cross sight scripting attacks.

When you buy something online from a store you've never used... do you not google around and see if you can find some sort of history or users complaining about that store? Do you not check your accounts to make sure that payments taken out are correct?

That is 'trust but verify'

Posted Feb 22, 2010 10:35 UTC (Mon) by dkg (subscriber, #55359) [Link]

(disclaimer: i'm quoted in the article, and i'm a contributor to the monkeysphere project) I appreciate your commentary, and especially your skepticism about changing core infrastructure. These things need to be taken seriously. I hope you'll train your skepticism on the existing problematic systems as well.

khim wrote:

You can decide to ignore some central authorities (like you can choose to ignore CNNIC), but it's not possible and not feasible to ignore all of them.

Why is it infeasible to ignore any of them that you distrust? Today, it's because of the inherent bias in the structure X.509 certificates, because any certificate can only have one issuer. With the current infrastructure, you simply can't express the idea of "I only trust FooCA's certifications if they're corroborated by some other entity". And if you decide to say "I don't trust FooCA's certifications at all", your only clear option in the current regime is to not visit services certified by FooCA, because there is no way that the service could be concurrently certified by another CA which you do trust. But what if more than one CA could certify a service?

khim wrote:

Recommendations are absolutely important. Vital, even. But Web-Of-Trust is not a that. It's some complex technical tool designed to automatically determine if you should trust someone or not.

OpenPGP's Web-of-Trust is actually not about automatically determining whether you should trust someone or not. It's ultimately about deciding whether someone is who they claim to be, just like that Other PKI, X.509. The WoT uses your own indications about who you trust to identify other people (or services) and then automates the process of binding those identities to public keys, which are bound in turn to your communications.

If this is confusing, it might be because current implementations and documentation don't do a good job of separating out the concepts and the terminology. I agree that's a problem, and it needs to be fixed. But the questions you need to be able to answer to use the WoT are very much within reach of ordinary humans.

As a baseline for use of the WoT, you need to be able to answer one question:

• Who do i know i can i rely on to correctly identify another party?

For full participation (so that others can choose to rely on your certifications, and so that you can be sure that your indicated preferences will be properly respected), you need to add two more concepts:

• Is a given person who they say they are?
• Does the key that I have for them match the key they claim to have?

Note that the first two concepts are normal human concepts, so built-in that we don't even think about them explicitly much. If you've known your good friend Alfredo Lopez for 6 years, you have very good reason to believe that he is Alfredo Lopez. Slightly more complicated: if you've known Alfredo for years, and he's a reasonable guy, and he says "hey, meet my friend Maria Jones", you probably have good reason to believe that the person in question is indeed "Maria Jones". Some of us have friends who we know will try to fool each other with prank names like "I. P. Freely", or acquaintances who would be happy to impersonate a bank teller for financial gain -- we know not to rely on these friends or acquaintances for proper identification without corroboration.

The final concept (about matching keys) does require a bit of sophistication -- it means you need to understand that some digital object called a "key" exists, and can be used as a means of identifying people (or other entities). And it means you need to know how to compare the fingerprint of a key: this just involves reading a series of letter and numbers and making sure they match; most people can do this.

khim wrote:

Web-of-trust model is complex and opaque, central authority model is simple and transparent.

In fact, if people want central authorities, it's trivial to implement them in a WoT. Simply mark all the central authorities your tools already implicitly "trust" as being entities you feel you can rely on to identify another party. Now, your WoT is exactly as simple and transparent as a hierarchical model. But if you decide that something is wrong with that model, you have a way to address the problem.

What could be wrong with the hierarchical model? Try asking people who they actually trust with the ability to compromise all of their networked communications. Mozilla Firefox 3.5 ships with entities like the dubious GTE CyberTrust Global Root (using a 1024-bit RSA key with an expiration date of 2018 -- 8 years longer than NIST recommends), governmental root certificate authorities from Taiwan, Netherlands, Japan, and soon China, and "too-big-to-fail" agencies with a history of corruption, simple incompetence or acquiescence to corporate or governmental bullying like Network Solutions, Equifax, or Verisign. You don't have to distrust all of these entities to think this arrangement is suboptimal. You only need to distrust one of them. It's a weakest-link arrangement.

The solution to these problems is not to force users into blind "trust" arrangements that are inherently insecure. It's to make sure users have access to clear, comprehensible information about who they are relying on to make identification decisions, to make it easy for end users to reject untrustworthy middlemen, and for people who don't understand the system to rely on people or groups they actually do know and trust to make identity certifications (even if they turn out to be delegated ones). As far as i can tell, this isn't possible with the dominant technical infrastructure for the central authority trust model (and it should be noted that X.509 itself is also neither simple nor transparent).

We can do better, and we should.