A security researcher was able to revoke a third party's Symantec certificate by presenting a fake private key.

https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html

Symantec have at least acknowledged that this is a problem.

https://www.symantec.com/connect/blogs/third-party-revocation-updates

... but seriously, why do we even still have PKI? Shouldn't DNS registrars be the ones signing certs.After all, that's *all* a cert means, that you own a domain.

@natecull Well one thing's for sure, we ought to kill the CA cartel. Let's Encrypt is a start, but the entire design is wrong.

So we know the goal... Like DNS, finding a proper solution is still a WIP :)

@cwebber @natecull Much like Congress voting themselves a pay-cut I'm pretty sure no CA in their right mind is going to take disbanding their cartel lightly.

@craigmaloney @natecull Well I think you want to design a system where the CA doesn't have to opt-in to it :)

@cwebber @natecull Unfortunately I think it's easier to notarize a business than a person. Businesses have paper-trails and a general covenant with the state and federal governments that they're not up to any shenanigans.

That said, even businesses can be deceitful and the only legal recourse is to dissolve the ability for that business to exist in the legal sense.

The CAs take some of the legal responsibility for determining legitimacy, but ultimately they're just as fallable

@craigmaloney @natecull I'm not so sure. What's a person in terms of identity? I think we've had enough interactions where I could notarize you. Could identities be forged? Sure, happens in real life too. Identity is messy, but...

@natecull @craigmaloney
Here's another assertion: a person probably shouldn't just have one identity. Identity is association, and inherently many to many. The motivation behind DIDs is partly coming from the refugee crisis, and individuals being disconnected from their state-issued identity.

Compelling user story writeup here: https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/topics-and-advance-readings/RWOT-User-Story.md

@cwebber @craigmaloney I skimmed this and I wish I could grasp quite how it works - I get the sense there are two keys for a user, Control Key and Owner Key? Huh?

If I feel confused, and I know a little bit about crypto (never coded, but did use PGP briefly back in the day), is it maybe too complicated?

I know crypto is tricky and trust is very hard to algorithmically define, but can we make this easier somehow?

Will reread and try to grasp what's going on.

@craigmaloney @cwebber

Like I think can't we literally start with JUST:

1. 'I am the entity who controls this identity', and

2. 'This piece of information was authored directly by this identity'

where 'entity' may not even be a person, because we need to allow machines to communicate just as much as we need to allow humans.

and then build up from there?

MAYBE there are things a human ID needs that a machine doesn't but we need to start with the core basics.

@cwebber @craigmaloney like right now the thing I'm very much worried about is that:

1. All our communications are stored on devices we don't 100% trust or control

and

2. All our communications are routed through networks we very much do NOT trust or control

and

3. All these devices and networks are going to lie and fake communications from us, if they can

and

4. Hostile humans at all levels of governance from crime to US President are strongly forcing 3

@craigmaloney @cwebber so maybe we need some kind of personal authenticator device and PIN/password combo, and then we need a way of using this to sign key requests and send them over unsafe, untrusted channels which might include 'the very phones we're typing on'

@cwebber @craigmaloney and of course all cloud VMs are COMPLETELY unsafe (with regard to privacy or key material, which can, so I assume WILL, be harvested silently in bulk by natsec-level operators with no awareness by sysadmins - slightly better with regard to hostile changes, as those can be detected by the sysadmin).

Basically only something you physically hold can hold key material, IMO. And it can also be stolen.

@craigmaloney @cwebber But, eg, in the case of Syrian refugees we would NEED to assume that 1) Putin and 2) Trump (+Stormfront, etc) will have the ability and motivation to send national security demands via their militaries and spy infrastructures to telcos, phone operators, app stores, cloud VM hosts, etc. How might people with compassion and some limited tech autonomy be able to work around this?

eg assume the Syrian hacker army is an arm of .ru AND .gov.

@cwebber @craigmaloney also eg:

in the case of 'mobile app development' I don't even understand why verifying Donna's identity should matter at all to Bob.

If the app architecture is so badly designed as to mean that if Donna were a spy her app would have root permissions on any device it ran on.... then something's already gone badly wrong.

And even if we can prove Donna's ID it doesn't mean she isn't an agent of some foreign power, or can code correctly.