SSL Certificate Authorities vs. Convergence, Perspectives

alphadogg writes "With all the publicity about breaches of SSL certificate authorities and a hack that exploits a vulnerability in the supposedly secure protocol, it's time to consider something else to protect Internet transactions. If only there were something else to turn to. Protecting SSL and its updated version TLS is vital because they support most e-commerce transactions by setting up end-to-end encrypted sessions that are authenticated, and that requires certificates that are verified by certificate authorities. One new model for authentication is called Convergence, and it similar to one being trialed at Carnegie Mellon University called Perspectives. Rather than trusted third parties whose trust can't be assured, SSL/TLS authentication would rely on a reputation system of verification."

A reputation system?

[the_Bionic_lemming]

What happens when you are a software company that will have at best 1000 clients?

That's the issue I am facing right now with Norton and SONAR. I started deploying with Clickonce since i needed to add SQLCE to our customers machines. Now SONAR pops up and deletes our software randomly. If you look at the logs, Norton actually says "YOU CHOSE TO DELETE THIS".

That's just an Antivirus company. How in the hell can I expect to be able to deliver product and keep it updated if I'll never have enough customers to "Trust" our software and build a reputation?

We cater to a pool of clients that will never go above 1100 customers. Does this mean that in addition to AV troubles, we will never get trusted because we cannot possibly get enough people to make the numbers to BE trusted?

Re:Won't work

Any reputation system that doesn't rely on some central authority to issue it can and will be gamed by crackers.

That is so deeply deeply wrong. Any system that relies on some central authority will be abused by that central authority. Politics, moderators in every forum on the net, Wikipedia, you name it. Including people here moderating more on if they agree than on anything else. This is not my personal theory but well-known in psychology.
The first problem is, that the type of human who is striving to be an authority, by definition is focused on himself, including his benefits, over those of everyone else.
And the second and worse problem, is that there is no such thing as a "absolute" or "central" "authority". Authority, if anything, is defined through being respected and trusted. That is a personal thing. I can tell you that I trust person X all I want. As long as you trust me, that won't mean you trust him. Now replace me with Mozilla and person X with a CA. The impose authority they never earned. That is just plain wrong and the opposite of how a healthy community works.

Of course replacing a single untrustworthy "authority" by a crowd of untrustworthy "authorities" won't work, and you are right that it would probably make things even worse. Wikipedia's history of admins abusing their power is a good example of this not working. But just look at the results of elections, and you know why one can't trust the general public. ;) (Doesn't mean anybody is wrong. It's just that one's good is the other one's bad and we are way too diverse to form one harmonizing community.)

If anything, the only system that will ever work, is one that finally acknowledges that the whole thing is relative to the individual. A web of trust. Yes that means that people who choose the wrong people to trust, can be abused. But at least the can make that choice at all. Compared to having the choice made for them. And sorry, if you give a crook power of authority to deal with your bank on your behalf (which is the equivalent to trusting a bad certificate validator for a bank), it’s your own damn fault and it's supposed to hurt.

Re:Reputation system

[hedwards]

EBay doesn't have a reputation system. A reputation system requires that parties be able to add or subtract from the feedback based upon their views. There will be a few that don't match or are wrong, but over time the values will tend to reflect reality.

With eBay, they don't let sellers leave negative feedback anymore and as a result the whole system is badly flawed and tends to just reward bad behavior by buyers.