User: Password:
Subscribe / Log in / New account

Certificates and "authorities"

Certificates and "authorities"

Posted Sep 8, 2011 8:05 UTC (Thu) by AlexHudson (guest, #41828)
Parent article: Certificates and "authorities"

I think the issue here is basically that most users simply don't want to know much about how the trust works: they just want to know who to trust.

I installed Convergence here a few days ago. I'm pretty techie but I don't really get it. I now see all https certs are verified by a local self-signed cert (boy, was that a surprise..) and I get that this is more like some kind of quorum system. I don't get who is going to run these various notaries for people to check against; I suppose the browser makers could run some instead of pinning but I suppose I don't see the commercial motivation for someone to run one well. Are we to rely on the charity of the likes of Google? Hmm.

I also don't really get how any of these can be explained to the man on the street. Fundamentally, the issue comes down to "how can you trust a party you've never met", and every solution involves some kind of third party/intermediary and gets increasingly more complex / convoluted as various holes get patched up.

(Log in to post comments)

Certificates and "authorities"

Posted Sep 8, 2011 11:42 UTC (Thu) by bboissin (subscriber, #29506) [Link]

Here is the comment from Ben Laurie (one of the Chrome engineer) about convergence:

Certificates and "authorities"

Posted Sep 8, 2011 15:05 UTC (Thu) by tpo (subscriber, #25713) [Link]

I think the article is by Adam Langley and not Ben Laurie:

$ wget -q -O -|grep name|head -1
<name>Adam Langley</name>

Certificates and "authorities"

Posted Sep 8, 2011 15:08 UTC (Thu) by bboissin (subscriber, #29506) [Link]

Indeed, my bad. Sorry Adam.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds