On Tue, Nov 25, 2014 at 02:52:47PM -0500, Richard Pieri wrote: > On 11/25/2014 1:15 PM, Derek Martin wrote: > >Let's say I meet you on the street, and you tell me you are Steven > >Smith, and produce very good fake ID to that effect. As it happens > >(in this scenario) I am exceptionally good at spotting fake ID. I > >prove that your ID is fake. This does not prove to me who you are--it > >only proves to me one identity whom you are not. > > It proves that I'm that particular guy you met on the street. You > may not know my real identity but you still have a piece of > information -- a fingerprint if you will -- that is uniquely mine.
This misses the point: we're talking about authenticating (essentially) anonymous parties on the internet for (essentially) trusting them with your money and/or secrets. The above was only an analogy to illustrate the problem. Though your response sort of makes my point for me.... sort of. Having met "fake Steven Smith #32" I would certainly trust him with neither my money nor my secrets. > If that fingerprint is used then you know that it's the guy you met > on the street with Steven Smith fake ID #32. That's all you need if > you want to communicate with fake Steven Smith #32. I have no use to communicate with "fake Steven Smith #32"... my goal is to trust that the website behind certificate XYZ actually belongs to my brokerage house, rather than some "fake Steven Smith #32" who fully intends to abscond with my nest egg. The fingerprint of "fake Steven Smith #32" has no value to me (or, I dare say, anyone), and I would not bother attempting to secure my communications with that person. > At which point a web of trust or hybrid web and chain can be used if > you need more than that. It's not an unsolvable problem. It's > already been solved: social networks. Oh, right, just like the web of trusted certificate authorities. It's a solved problem, so we really don't need to continue this discussion! -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
_______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss