> For me the sentence, “I had little choice but to trust X” is perfectly > coherent. > > Is it possible that you are letting your righteous anger at what > browser vendors have done interfere with how you are defining “trust”?
That's the question with the elusive answer: how do you define trust. One of the better answers I have seen: X trust Y to do Z. Plug in PKI: Users trust CAs to abide by their CP and CPS. (Now policy (CP) and procedures (CPS) need to be accepted). Nonsensical counter example: Trustwave did not follow their CP, but they are still trusted. Does not compute... Jeff On Fri, May 2, 2014 at 1:41 AM, Jeffrey Goldberg <[email protected]> wrote: > > On 2014-05-01, at 8:49 PM, ianG <[email protected]> wrote: > >> On 1/05/2014 02:54 am, Jeffrey Goldberg wrote: >>> On 2014-04-30, at 6:36 AM, ianG <[email protected]> wrote: > >>> OK. So let me back peddle on “Ann trusts her browser to maintain a list of >>> trustworthy CAs” and replace that with “Ann trusts her browser to do >>> the right thing”. >> >> Right, with that caveat about choice. > > I think that we are in fierce agreement. At first > I didn’t understand the significance of your insistence > on *choice*, but I see it now. More below. > >>>> In this context, we would claim that users b-trust because they know >>>> they can switch. With browsers they cannot switch. >>> >>> Their choice is to transmit private information using their browsers. >>> Their choice is to not participate in e-commerce. > >> Right, there is always in economics some form of substitute. But >> actually we've probably moved beyond that as a society. > >> I would say that e-commerce is utility grade now, so it isn't a >> choice you can really call a choice in competition terms. > > I agree that the behavior in b-trust must be about “choice behavior” > in that Ann behaves one way instead of another. > > But I don’t think that we should have some minimal threshold of choice > before can call the behavior b-trust. As long as there is some > non-zero amount of choice the behavior (in these cases) will exhibit > a non-zero amount of trust. > > For me the sentence, “I had little choice but to trust X” is perfectly > coherent. > > Is it possible that you are letting your righteous anger at what > browser vendors have done interfere with how you are defining “trust”? > >>> All I’m asking is that we consider the people we are asking to >>> “b-trust” the system. Can we build a system that is b-trustworthy >>> for the mass of individuals who are not going to make c-trust >>> judgements. >> >> >> Right, this is the question, how do we do that? >> >> That is what Certificate Transparency and Perspectives seek to do, as >> well as other thoughts. First they make the c-trust available by >> setting up alternate groups and paths. Then the c-trusters develop their >> followings of b-trusters. > > I agree with that last bit. In a sense, if people see that experts trust > the system they will too. But how will this play out with Certificate > Transparency for most users? What do they actually need to know and do > to follow some c-trusters? > >> There likely needs to be a group of c-trusters in the middle >> that mediate the trust of the b-trusters. > > And how will that work without putting unrealistic expectations on > the vast major of users. How do they pick which c-trusters to trust? > >>> I think that we have a higher chance of success if we use a language that >>> can talk about agents who do not have a deep or accurate understanding of >>> why a system is supposed to work. And so, I think that, with some >>> refinement, >>> my notion of b-trust is worthwhile. >> >> >> Yes it could be. It might not be applicable to web-PKI because the >> vendors confuse X "do the right thing by users" with X' "maintain a good >> CA list.” > > I’m confused. (Perhaps by the vendors?) _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
