On 30/04/2014 02:57 am, Jeffrey Goldberg wrote: > Hi Ian, > > I will just respond to one of the many excellent points you’ve made.
Super, thanks! > On 2014-04-29, at 12:12 PM, ianG <[email protected]> wrote: > >> On 29/04/2014 17:14 pm, Jeffrey Goldberg wrote: >>> People do trust their browsers and OSes to maintain a list of trustworthy >>> CAs. >> >> No they don't. Again, you are taking the words from the sold-model. > > I will explain my words below. > >> People don't have a clue what a trustworthy CA is, in general. > > I emphatically agree with you. I hadn’t meant to imply otherwise. > > I have been using “trust” in a sort of behavioral way. For the sake of the > next few sentences, I’m going to introduce some terrible terminology. > “b-trust” is my “behavioral trust” which will defined in terms of “c-trust” > (“cognitive”). > > So let’s say that A c-trusts B wrt to X when A is confident that B will act > in way X. (Cut me some slack on “act”). A “b-trusts” B wrt to X when she > behaves as if she c-trusts B wrt to X. > > So when I say that users trust their browsers to maintain a list of > trustworthy CAs, I am speaking of “b-trust”. They may have no conscious idea > or understanding what they are actually trusting or why it is (or isn’t) > worthy of their trust. But they *behave* this way. Right, but this is very dangerous. You have migrated the meaning of X in the conversation. Users trust their browsers to do the right thing by security. Browsers trust their CAs to do the right thing by their ID verification. This does not mean that users trust their browsers to maintain a list of trustworthy CAs. Trusting the browsers to "do the right thing" also includes the possibility that the browsers throw the lot out and start again. Or drop some CAs from the list, which they only do with small weak players that won't sue them. Also, one has to again refer to the nature of trust. It's a choice-based decision. Trust is always founded on an ultimate choice. In this context, we would claim that users b-trust because they know they can switch. With browsers they cannot switch. There isn't a browser that will offer a different model (they cartelised in 1994, basically). And there isn't a browser vendor that will take user input on this question. So there is no choice for the user. Therefore, we need a new form; m-trust perhaps? Mandated-trust? I don't know how far we want to go into the doublespeak to interpret this, point being that m-trust excludes {b,c}-trust by its nature. Also, if you asked users whether they trust the browsers to secure their connections to the online banks, then I'd reckon you'd have a bit more of an uphill battle. It isn't done and users know it isn't done, thanks to phishing. Users now use more than one browser, not because one does a better job but because they are diversifying their risks, online banking one one browser, the rest on another. Which is where it gets more dangerous: we can frame the question to gain the answer we want; but who are we framing the result for ? > A vampire bat may b-trust that its rook mates will give it a warm meal if > necessary. Life is filled with such trust relations even where there is no > c-trust. Yes, and a vampire bat may choose which mate to get the meal from; it has choice. >> (c.f., the *real meaning of trust* being a human decision to take a risk >> on available information.) > > Which is what I am talking about. And I’m talking about it because it is what > matters for > human behavior. And I want a system that works for humans. > > I see that you’ve written on financial cryptography. Well think about > conventional currency works. For all its problems currency works, and it is a > system that requires “trust”. But only a negligible fraction of the people > who successfully use the system do so through c-trust. Right. Now add in hyperinflation to the mix; how many people really trust their governments to not hyperinflate? Only ones with no collective history of it. > It may well be that all of the problems with TLS are because the system is > trying to work for agents who don’t understand how the system works. But, as > I said at the beginning, that is the world we are living in. Right, we're certainly in the world we are in. However, the problem with this particular world is that it uses a language that is 'constructed' to appear to require this particular solution. In order to find better solutions we have to unconstruct the constructions in the language, so as to see what else is possible. iang _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
