Comments for StartCom Web of Trust

Comment on Making a Digital Identity Assertion like the Notary Public System by Legal forum

Legal forum — Thu, 06 Aug 2009 08:30:24 +0000

Thanks for this useful information.

Comment on Making a Digital Identity Assertion like the Notary Public System by worktoday24

worktoday24 — Sun, 19 Jul 2009 15:06:33 +0000

hi.. This is a pretty good article. Apostile

Comment on Making a Digital Identity Assertion like the Notary Public System by mobile notary

mobile notary — Wed, 01 Nov 2006 21:38:38 +0000

I’d say in 5-10 years electronic notarization will be very common. I still think someone will actually have to psycially show up to id the person though.

Comment on Sxipping In, User Centric Identity and its Relationship to a CA by Eddy Nigg

Eddy Nigg — Sun, 15 Oct 2006 00:40:20 +0000

Meant: trustworthiness of the data, not date…

Comment on Sxipping In, User Centric Identity and its Relationship to a CA by Eddy Nigg

Eddy Nigg — Sun, 15 Oct 2006 00:39:17 +0000

I agree! I think, it would be a good idea to contact the various leaders, specially Sxip, OpenID and let them do some thinking…Securing of A) network and transport related options, B) storage and audit? thereof. In addition to that, there might be an idea of protocol extension, which would define the source or trustworthiness of the date, e.g Not validated, reasonable validated and highly validated….Or something along this lines…

Comment on Sxipping In, User Centric Identity and its Relationship to a CA by startssl

startssl — Wed, 11 Oct 2006 14:48:31 +0000

If the user only has to enter their data once, they are more likely to make it correct. With the granular control the users have over which data is released they can feel more at ease about filling in the data correctly. Furthermore if you have a CA, who is acting as the users homesite, validate the users data, you now have trustworthy data.

The issue I see is that the code I have looked at transports the users data from site to site unencrypted, and without validation that the site is who THEY say they are. SSL and DNSSEC together could solve this problem, but I am not sure that it is even seen as a problem yet.

Comment on Sxipping In, User Centric Identity and its Relationship to a CA by Eddy Nigg

Eddy Nigg — Wed, 11 Oct 2006 01:23:23 +0000

The idea is very interesting indeed, but without any validation form, the quality of data might be problematic. In real life, a person has usually only one identity – the same identity which should be used to access protected web sites – but without compromising the very same personal information. Most likely, that the CA role is the missing link here.

Hopefully this identity protocols and their software get to a stable level soon and with adding additional security (storage of date etc), a verification model seems to be invitable.

Comment on About by Eddy Nigg

Eddy Nigg — Wed, 11 Oct 2006 01:15:36 +0000

How aboutsome content here? We all want to know

Comment on Perceived Value of Certs vs PGP by Iang

Iang — Thu, 21 Sep 2006 10:34:16 +0000

These questions all seem to be searching for a schism between PGP and PKI. That’s a false distinction; they are both technologies that more or less provide support for statements made by one party about another party. The concept is bigger than the tech, and the tech hasn’t been able to be made big enough to fill out the concept.

PKI (x.509/CA is what I mean by PKI) provides a hierarchical structure with CAs presumably making reliable statements. Yet, nobody knows what those statements are, so the technology doesn’t deliver what it promises. See my long long long paper on “PKI considered harmful” http://iang.org/ssl/pki_considered_harmful.html for more on how all this falls apart. Did I say it was long?

PGP provides a network to make reliable statements. Yet, the technology doesn’t say what and where to place the statement, so the technology doesn’t deliver the promise. PGP says you can sign my key, but it doesn’t ever ask you what you mean when you sign my key — you know me? You don’t know me? I’m trustworthy? I’m married to your sister? I’m a terrorist? I’m all of them, all together?

More fairly, PGP doesn’t deliver the PKI promise, because the PKI promise isn’t realistic to copy. PKI doesn’t deliver the PGP promise because to do so would break the hierarchical structure, something that is considered to be beyond question to the insiders.

Where are we left in all that? The relying party is SOL. She has to read the CPS and understand the detail, so the only statements she can rely on are those that she is familiar with … which leads us inexorably to the “you trust what you know” methodology, without any objective test of what it is you might know. So, trusting Verisign works if you already trust Verisign. Trusting CAcert is equally stable, and trusting PGP WoT works fine .. if you already trust it.

Comment on Perceived Value of Certs vs PGP by startssl

startssl — Wed, 20 Sep 2006 22:37:18 +0000

If a Notary can be trusted to do what they are supposed to, then it would be class 3 or even class 4. Considering that volunteer Notary/Assurers with no financial liability can’t be trusted to do as required, then the assertions these people make are merely suggestions. Thus the certs can’t even be called level 2, nor can they be insured that way.

The only way assertions of volunteers could be taken seriously is if the volunteer were to buy a bond to cover the breach of contract, just exactly like a Notary Public. Errors and Omissions insurance would also be nice. However these things may be difficult to come up with outside of the US, also some people feel it is unfair to ask volunteers to do this. My opinion is that if you want me to to trust your assertion, then “put your money where your mouth is”.