A security researcher was able to revoke a third party's Symantec certificate by presenting a fake private key.

https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html

Symantec have at least acknowledged that this is a problem.

https://www.symantec.com/connect/blogs/third-party-revocation-updates

... but seriously, why do we even still have PKI? Shouldn't DNS registrars be the ones signing certs.After all, that's *all* a cert means, that you own a domain.

@natecull Well one thing's for sure, we ought to kill the CA cartel. Let's Encrypt is a start, but the entire design is wrong.

So we know the goal... Like DNS, finding a proper solution is still a WIP :)

@cwebber @natecull Much like Congress voting themselves a pay-cut I'm pretty sure no CA in their right mind is going to take disbanding their cartel lightly.

@craigmaloney @natecull Well I think you want to design a system where the CA doesn't have to opt-in to it :)

@cwebber @natecull Unfortunately I think it's easier to notarize a business than a person. Businesses have paper-trails and a general covenant with the state and federal governments that they're not up to any shenanigans.

That said, even businesses can be deceitful and the only legal recourse is to dissolve the ability for that business to exist in the legal sense.

The CAs take some of the legal responsibility for determining legitimacy, but ultimately they're just as fallable

@craigmaloney @natecull I'm not so sure. What's a person in terms of identity? I think we've had enough interactions where I could notarize you. Could identities be forged? Sure, happens in real life too. Identity is messy, but...

@natecull @craigmaloney
Here's another assertion: a person probably shouldn't just have one identity. Identity is association, and inherently many to many. The motivation behind DIDs is partly coming from the refugee crisis, and individuals being disconnected from their state-issued identity.

Compelling user story writeup here: https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/topics-and-advance-readings/RWOT-User-Story.md

@cwebber @craigmaloney I skimmed this and I wish I could grasp quite how it works - I get the sense there are two keys for a user, Control Key and Owner Key? Huh?

If I feel confused, and I know a little bit about crypto (never coded, but did use PGP briefly back in the day), is it maybe too complicated?

I know crypto is tricky and trust is very hard to algorithmically define, but can we make this easier somehow?

Will reread and try to grasp what's going on.

@craigmaloney @cwebber

Like I think can't we literally start with JUST:

1. 'I am the entity who controls this identity', and

2. 'This piece of information was authored directly by this identity'

where 'entity' may not even be a person, because we need to allow machines to communicate just as much as we need to allow humans.

and then build up from there?

MAYBE there are things a human ID needs that a machine doesn't but we need to start with the core basics.