Personal tools
Sections
You are here: Home Elliott's Blog Webs-of-Trust, and Winter Vacation

Webs-of-Trust, and Winter Vacation

Posted by admin at Dec 23, 2009 12:40 PM |

December 23, 2009

Webs-of-Trust, and Winter Vacation

Web levels of trust...

Charlotte, NC

 

I'm ensconced with Ann and my daughters at the place in the city, a venerable low rise in an historic district with a view of parks and towers. Two of us are dealing with winter bugs: I've got a code id by doze, and Meg's got the symptoms of swine flu coming on. It's going to be a low-key Winter Fest for us here, I think.

 

I was wanting to make a side-trip while I was up here to go get "verified" by a web-of-trust notary.

 

"What's that?", you say.

 

Ah, glad you asked.  A web-of-trust is a system by which an individual can certify his identity with other individuals who have had to certify their identity, for the purpose of placing that identity on a publicly used cipher-key for use with a secure web-site.

 

"Uh huh", you say, with a slightly blank look.

 

Ok, I say, think of it this way...

 

You are wandering in a city, and you see a building. The building has a door. The door is wide open. There are no signs, and you don't know what this building is, or what is inside, but you go on in, and look around.  You don't know whose building it is, nor do you know the name of the building. On a metaphysical level, let's imagine you can't remember exactly what city you're in. It's dream-like. You're not even sure where this building you've entered IS.

 

Would you make any purchases in there, presuming they were selling anything? Would you feel at ease telling them who you are, your address or bank information? Probably not.

 

Well, that describes an ordinary, un-verified, insecure web site. We wander through those all the time, and it is a bit dicey to obtain or leave anything in those. You should never blithely type your credit information into a blank form on such a page. It would be like writing it with chalk on the wall of a train station. Anyone might see it there, if they went looking for it.

 

Would it help if the building had a sign on it?  How about this: now the building has a sign saying, 'Pawn Shop'. Not much help that. You know what kind of shop it is. Well, that's something, but what if you wanted to make a private transaction, and be sure of its privacy. You don't know who you are dealing with. Let's pretend you're a secret agent, and need to do this trade unobserved. Can you do this in a generic pawn shop, in an unknown place, with no knowledge of the ownership? And the door and windows wide opened, like an arabian bazaar, no privacy? Too risky. Again, this describes the common internet.

 

How about the sign says, 'Pawn Shop, private trading'? The owner says, you can trust us, we'll close the blinds. Let's do business! He provides a measure of privacy, but you ask, Who are you? And you get no certain answer. He's closed the blinds, and locked the door to the street, but you don't really know who you are dealing with. All you do know is that you are in a private space that some stranger has created.

 

This describes pretty well a web-site that offers a layer of security with a cipher key, but that key is "self-signed", and made entirely by the owner of the site. It does offer privacy from the rest of the internet, from the "street" if you will, but you still have no idea who you are dealing with, unless maybe you personally know the guy from prior experience, in which case you might be comfortable with the arrangement.

 

Ok, then:  Now the sign says, "Swap-Mart, Ltd. Owned and operated by Joe Schmoe, licensed by the city of New Dork, Tasmania. These premises certified by to be free of surveillance of any kind by the Prince of Tasmania." The sign bears the Prince's utterly unique imprint. Well, that's pretty cool, because it so happens that your country is an ally of Tasmania, and share the same values. Ok, now, this is a place you can deal with. Not only do you know that it's a registered and licensed establishment, but you trust the certificate presented.

 

This exactly describes a cipher-secured website using a public key provided by a known certificating agent, such as Thawte or Verisign. The certificating agent has high standards which require that the website register its domain name with them, and ALSO have presented bonafides identifying exactly who owns and operates the website, either a sole-proprietor or some licensed corporate entity. You can generally do business with good confidence under these circumstances, and the cipher keys can be trusted to prevent the rest of the internet from eavesdropping on your exchanges.

 

But let's say that the Prince of Tasmania charges a whoppin' big fee for obtaining his certification. (Thawte and Verisign certificates don't come cheap, I can tell you). Well it's nice to know that the web offers an alternative for obtaining certification for websites that have a legitimate need to present a registered and secure cipher-key to their users. It's called a web-of-trust certification, and it works like this:

 

Some certifying agencies work in this fashion: they examine bona-fides and provide certificates for applicants. For corporate clients, it works just like the big boys: they examine the articles of incorporation, take a fee, and issue a "verified corporate signed-certificate". For individuals, they verify identity, take a smaller fee, and issue a "verified-individual signed-certificate". Here's where it gets really nice:  they also allow "verified individuals" to act as "notaries" to verify other individuals, in turn, and this procedure allows the "notary-verified individuals" to obtain registry of their cipher keys for public use, albeit, at a lower level of confidence than the corporate-level cipher keys.

 

With the web-of-trust I'm working with, it requires presenting two forms of government issued picture ID to two different notaries in the system. If they are satisfied that you are who you have shown yourself to be, they inform the certifying agent, who, in turn, will issue you a "notary-verified" level certificate. Your only cost is the time and effort to present yourself to the two notaries,  and you can hang "signage" on your web which bears your certificated identity. This in turn gives your public clients confidence to do private business with you, because the certifying agency attests to your identity, via the trust it has placed in its notaries.

 

This is a very workable alternative for smaller web-entities needing a secure and trusted trading forum: they might not be Bank of America, but they still need verifying and certificating authority on some level to be able to function. A "web-of-trust" fills this need nicely. I recommend looking into the services provided by StartSSL.com, if any of the above describes something you've been hankering after for your own secure website.

 

 Aren't you glad you asked?

Document Actions
Powered by DISQUS comment system