| |||||||||||||
Certificates and "authorities"Certificates and "authorities"Posted Sep 8, 2011 8:05 UTC (Thu) by AlexHudson (subscriber, #41828)Parent article: Certificates and "authorities"
I think the issue here is basically that most users simply don't want to know much about how the trust works: they just want to know who to trust.
I installed Convergence here a few days ago. I'm pretty techie but I don't really get it. I now see all https certs are verified by a local self-signed cert (boy, was that a surprise..) and I get that this is more like some kind of quorum system. I don't get who is going to run these various notaries for people to check against; I suppose the browser makers could run some instead of pinning but I suppose I don't see the commercial motivation for someone to run one well. Are we to rely on the charity of the likes of Google? Hmm.
I also don't really get how any of these can be explained to the man on the street. Fundamentally, the issue comes down to "how can you trust a party you've never met", and every solution involves some kind of third party/intermediary and gets increasingly more complex / convoluted as various holes get patched up.
(Log in to post comments)
Certificates and "authorities" Posted Sep 8, 2011 11:42 UTC (Thu) by bboissin (subscriber, #29506) [Link]
Here is the comment from Ben Laurie (one of the Chrome engineer) about convergence: http://www.imperialviolet.org/2011/09/07/convergence.html
Certificates and "authorities" Posted Sep 8, 2011 15:05 UTC (Thu) by tpo (subscriber, #25713) [Link]
I think the article is by Adam Langley and not Ben Laurie:
$ wget -q http://www.imperialviolet.org/iv-rss.xml -O -|grep name|head -1
Certificates and "authorities" Posted Sep 8, 2011 15:08 UTC (Thu) by bboissin (subscriber, #29506) [Link]
Indeed, my bad. Sorry Adam.
|
|||||||||||||