undefined | Better HN

0 pointseinhverfr11y ago0 comments

Trustless is great for so many things but try answering this question in a trustless environment: "Before I give you my credit card info, how do I know you are who you say you are?"

If you can answer that without trust. .

0 comments

vertex-four11y ago

You can know that you are talking to the same named digital identity that you think you are talking to without trust; that's a significant amount of the value of Namecoin. Validating that a digital identity is tied to a specific real world identity is a separate problem.

einhverfrOP11y ago

> Validating that a digital identity is tied to a specific real world identity is a separate problem.

But it isn't for the main areas of SSL usage (e-commerce, ensuring your passwords are sent to the right party, etc). Those require trust. I don't know how you get around that.

I.e. I can imagine the concern being that X.509 ties together validating identity with public key infrastructure but since one use of a public key is to validate identity I am not convinced that is a bad thing, and to be honest, I can't see a trustless alternative for most of the current uses.

I can imagine many better alternatives to X.509 (anything that starts with a letter . three digit number is OSI legacy crap), but I don't see how to get rid of the identity vouching aspect of it.

vertex-four11y ago

As a general rule, people care that their connection is secure, because they've been told to worry about people stealing their card numbers on insecure sites. They've generally established trust in other ways - more commonly, they simply trust it because they've heard about it elsewhere or it ranks highly on Google, and they use a trusted payment provider such as Paypal.

Most people honestly don't go to the effort of verifying that a certificate matches the real-world identity they think it does. It's difficult, especially with smaller stores that don't use EV certificates.

For cases where people think third-party attestation is a necessary thing for their purposes, frankly, we have nothing better than the CA model right now; but that can easily be integrated with Namecoin, allowing for only those who need it to use it, and the rest to have access to secure communications and proofs of digital identity without having to pay up.

j / k navigate · click thread line to collapse

0 comments

vertex-four11y ago

einhverfrOP11y ago

> Validating that a digital identity is tied to a specific real world identity is a separate problem.

But it isn't for the main areas of SSL usage (e-commerce, ensuring your passwords are sent to the right party, etc). Those require trust. I don't know how you get around that.

I can imagine many better alternatives to X.509 (anything that starts with a letter . three digit number is OSI legacy crap), but I don't see how to get rid of the identity vouching aspect of it.

vertex-four11y ago

j / k navigate · click thread line to collapse