A security researcher was able to revoke a third party's Symantec certificate by presenting a fake private key.
https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html
Symantec have at least acknowledged that this is a problem.
https://www.symantec.com/connect/blogs/third-party-revocation-updates
... but seriously, why do we even still have PKI? Shouldn't DNS registrars be the ones signing certs.After all, that's *all* a cert means, that you own a domain.
@natecull Well one thing's for sure, we ought to kill the CA cartel. Let's Encrypt is a start, but the entire design is wrong.
So we know the goal... Like DNS, finding a proper solution is still a WIP :)
@craigmaloney @natecull Well I think you want to design a system where the CA doesn't have to opt-in to it :)
@cwebber @natecull Unfortunately I think it's easier to notarize a business than a person. Businesses have paper-trails and a general covenant with the state and federal governments that they're not up to any shenanigans.
That said, even businesses can be deceitful and the only legal recourse is to dissolve the ability for that business to exist in the legal sense.
The CAs take some of the legal responsibility for determining legitimacy, but ultimately they're just as fallable
@craigmaloney @natecull I'm not so sure. What's a person in terms of identity? I think we've had enough interactions where I could notarize you. Could identities be forged? Sure, happens in real life too. Identity is messy, but...
@natecull @craigmaloney
Here's another assertion: a person probably shouldn't just have one identity. Identity is association, and inherently many to many. The motivation behind DIDs is partly coming from the refugee crisis, and individuals being disconnected from their state-issued identity.
Compelling user story writeup here: https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/topics-and-advance-readings/RWOT-User-Story.md
@cwebber @craigmaloney I skimmed this and I wish I could grasp quite how it works - I get the sense there are two keys for a user, Control Key and Owner Key? Huh?
If I feel confused, and I know a little bit about crypto (never coded, but did use PGP briefly back in the day), is it maybe too complicated?
I know crypto is tricky and trust is very hard to algorithmically define, but can we make this easier somehow?
Will reread and try to grasp what's going on.
Like I think can't we literally start with JUST:
1. 'I am the entity who controls this identity', and
2. 'This piece of information was authored directly by this identity'
where 'entity' may not even be a person, because we need to allow machines to communicate just as much as we need to allow humans.
and then build up from there?
MAYBE there are things a human ID needs that a machine doesn't but we need to start with the core basics.
@cwebber @craigmaloney like right now the thing I'm very much worried about is that:
1. All our communications are stored on devices we don't 100% trust or control
and
2. All our communications are routed through networks we very much do NOT trust or control
and
3. All these devices and networks are going to lie and fake communications from us, if they can
and
4. Hostile humans at all levels of governance from crime to US President are strongly forcing 3
@natecull @cwebber sadly unless you learn die design, fab your own chips, write your own BIOS and OS, and write your own software there has to be a level of trust in other folks to not be a bad actor. Look at the recent Intel nonsense where there was a separate computer (with network server) that the CPU couldn't access.
