undefined | Better HN

0 pointsnknight14y ago0 comments

> Well, how do you distribute trust? Do you have a quorum or something?

Basically, yes.

> Consider this ... what if I wanted to introduce doubt that X is really verified, and thereby hurt their business. How can you avoid me doing stuff like that? Besides harsh laws of course.

By not trusting you.

Right now, what happens is the browser and/or OS vendor determines a set of certificate authorities to declare "trusted", and all certificates they issue are simply assumed to be valid.

Instead, we could require, say, three signatures, each from different authorities, to invoke the normal "this is a secure connection to a properly-identified website" behavior.

But each of those authorities was still determined by the vendor to be trustworthy. It's still going to be the likes of e.g. VeriSign, Comodo, StartSSL, etc.. It's not going to be you.

0 comments

3 comments · 1 top-level

EGreg14y ago· 2 in thread

But what if Verisign really doesn't like Bank of America, can they cast doubt on their websites now?

nknightOP14y ago

No, but if they could and did, their business would come to an abrupt end when browsers stopped trusting them anyway.

EGreg14y ago

What if everyone did it to some company

1 more reply

j / k navigate · click thread line to collapse