On Mon, Jun 3, 2013 at 5:21 AM, Ben Laurie <[email protected]> wrote: > > Omnibroker introduces a trusted third party. It may be better than the > status quo, but I think we've got adequate proof that we can't > actually trust TTPs. >
Like the 9 companies allegedly involved in PRISM? I agree that we can't absolutely trust any party. We can't put absolute trust in Google, or ICANN or Comodo. But the current design of the Web requires us to trust all of them and rather more. The situation is not the same with Google however as I can at least decide whether or not to trust Google. I can in fact build an entirely Google-free tool chain if I want. I can eliminate the need to trust Google but not the need to trust at least one browser provider and one search engine[1]. The real point is not that I get to choose whether to trust Google but not whether to trust Comodo or ICANN. And that is the difference between a CA an Omnibroker as TTPs. They are both TTPs but one is an agent of and chosen by the server operator and the other is chosen by the client operator. Ah but now you are going to say that I can compile Chrome from source. Which just leaves me with the task of checking a billion lines of source for a backdoor. Omnibroker is designed to provide the same option. If you install your own Omnibroker service you can do all the checking yourself for every client that supports the protocol. You can do DANE checks and CT and Convergence and anything else that you might invent in the future. You can do all those checks all by yourself or you can ask a Symantec or a Comodo or a Kaspersky for information on possible bad IP addresses, botnets etc. I am working to develop an open source Omnibroker that can be used as the basis for just such a system called Tin-Foil-Hat. Some of the code is already on Sourceforge. SCVP and XKMS make a distinction between Certificate Path Discovery and Certificate Path Validation. You can use either server as simply a service that will find the information you need to make a trust decision or you can outsource your trust decision. Omibroker allows the same thing but it is not limited to PKI. -- Website: http://hallambaker.com/
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
