User: Password:
|
|
Subscribe / Log in / New account

Bazaar on the slow track -- Montone gets too little attention

Bazaar on the slow track -- Montone gets too little attention

Posted Sep 18, 2012 20:25 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
In reply to: Bazaar on the slow track -- Montone gets too little attention by jackb
Parent article: Bazaar on the slow track

PKI is a failure on all levels, starting from technical and going up to the social/management level.

For example, is there anybody here who can claim enough of ASN.1 knowledge to parse encoded certificates and keys? I certainly don't, every time I need to generate a CSR or a key, I go to Google and search for the required command-line to make OpenSSL spit out the magic binhex block.

Then there's a problem with lack of delegation. It's not possible to create a master cert for "mydomain.com" which I then can use to sign "host1.mydomain.com" and "host2.mydomain.com".

And so on. I'd gladly help a project to replace all this morass with clean JSON-based certificates with clear human-readable encoding.


(Log in to post comments)

Bazaar on the slow track -- Montone gets too little attention

Posted Sep 18, 2012 21:16 UTC (Tue) by jackb (guest, #41909) [Link]

I think there are two components necessary to build a web of trust that real people will actually use. First is automated in-person key signing that I described in an eariler post. The second part is an online database of facts about a particular identity.

The database would consist of one table that associates arbitrary text strings with public key IDs, and another table containing cryptographically-signed affirmations or refutations of the entries in the first table.

An example of an arbitrary text string could be a legal name, an email address, "inventor of the Linxu kernel", "CEO of Acme, Inc.", etc.

Everybody is free to claim anything they want, and everyone else is free to confirm or refute it. A suitable algorithm would be used to sort out these statements based on the user's location in the web of trust to estimate the veracity of any particular statement.

The value of the web of trust depends on getting people to actually use it so the tools for managing it would need to be enjoyable to work with instead of painful. That's one reason I think making the user interface similar to a social network because the emperical evidence suggests that people like using Facebook more than they like using GPG or OpenSSL. The other reason is that social networks better model how people actually interact in real life so making the web of trust operate that way is more intuitive.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds