On Thu, Oct 11, 2012 at 12:00 AM, Branko Čibej <br...@apache.org> wrote:
> So instead of giving too much credence to government-issued IDs, you'd > prefer to give credence to a service provided "for free" by a commercial > entity with a conceivable interest in inserting backdoors in software or > subverting trust in certain keys (a.k.a. Google), with the whole thing > being archived in as system controlled by another commercial entity > (a.k.a. YouTube, incidentally a.k.a. Google), with no public oversight > of those archives. The beauty of multi-factor authentication is that any one factor may have weaknesses, so long as it remains infeasible to compromise all of them. Giving an unaccountable proprietary entity like Google a role is indeed a weakness, just as relying on fallible amateurs to detect potentially forged government-issued IDs is a weakness. In a layered system, neither weakness need be fatal. > I'm sure you'd sue Google and win if they fake the archive. I'm confused as to what attack vector you're describing here. Since Google controls the only copies of the video, in theory they might "photoshop" its content to alter the appearance of one of the participants -- but that seems implausible because of technical challenges. It's possible Google could "accidentally" misplace some video content, though. In the sample/rough-draft protocol I described, the archived video serves two purposes: In the short term, it provides footage for third parties contacted out-of-band (via e.g. phone or email) to review and provide testimonials: "Yes, that's my colleague Noah Slater, who I've known for 5 years". Should the video archive mysteriously vanish before that loop closes, key signing aborts and the system remains uncompromised. In the long term, the archived video serves to deter would-be identity spoofers by capturing their faces and voices for posterity. An attacker who has the ability to remove the video (conspirator, rogue employee, cracker who has compromised Google's servers or more likely the account hosting the video) would still have to overcome other obstacles -- establishing control over an ASF committer account, preventing third parties contacted out-of-band from raising red flags, etc. It seems to me that the potential dissappearance of archived video degrades deterrence by a small amount, but that so long as other factors retain their integrity, the degradation is nowhere near enough to bring down the system. Marvin Humphrey --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
