[security] [OpenID] Trust + Security @ OpenID
Eric Norman
ejnorman at doit.wisc.edu
Sat Jul 21 22:14:05 UTC 2007
> Eric Norman wrote:On Jul 20, 2007
>> True enough. But there's more. Many will argue that such
>> protection is also useless unless the correct trust anchors
>> (some folks call them "root" certificates) are deployed at
>> the correct places. This is far easier to say then accomplish.
On Jul 21, 2007, at 9:03 AM, Eddy Nigg (StartCom Ltd.) wrote:
> Apache web servers come many times with a CA bundle installed (mostly
> Linux distributions). This is usually a dump from the NSS (Mozilla)
> store. One can add easily more PEM encoded certificate to that bundle
> - all the ones you want to trust. Implementation can require valid
> certificates traceable back to a root in the CA bundle.
Right. Just about everyone already knows that.
But it's not relevant to the point. One of the
key phrases above is "correct places".
Which of those 100 or so trust anchors should I
delete? Some folks will say "Start with all of 'em".
They're just self-asserted claims, fer Pete's sake!
Why am I supposed to take them as some sort of
Gospel? And how can I verify their trustworthiness
if it's called into question?
What can I do to include my notion of trustworthiness
instead of having to rely on blind faith in some
system programmer at Mozilla or wherever?
That's part of the real problem. For further commentary,
I'll just refer you to what Peter Williams is saying.
He seems to have his brain partly wrapped abound the
problem (albeit maybe not the total solution).
Especially this:
On Jul 21, 2007, at 1:37 PM, Peter Williams wrote:
> What we need now are protocols hooks and UI concepts that implement
> these raw technologies in a fashion that consumers can manage – and
> thus impose their view of trustworthiness on the world – as they see
> it.
I will assert one thing that you can take as "Gospel",
if you so choose. This is not a problem that technology
can totally solve, but it can make a contribution. Ergo,
technophiles that connote things like, "We'll solve that
problem for you" are really doing the world a disservice
in the grand scheme of things.
Eric Norman
http://ejnorman.blogspot.com
More information about the security
mailing list