Thursday, September 29, 2005

Trusted Websites?!?

http://www.theregister.co.uk/2005/09/27/untrusted_search/

How and why do we establish trust in the online world? How and why do we establish trust in the real world? Shouldn't the two be approached similiarly?

Consider email encryption. PKI based solutions have languished whilst PGP has flourished. Why? Because the trust model for PGP is more closely mapped to the way society works. Establishing trust for websites should similiarly map to the real world.

Imagine you are traveling out of state in a town you've never visited before. If you were looking for a restaurant, would you trust a sticker on the door that said "American Restaurant Association Approved"? Sounds legit, but who the heck is the ARA? How do I know the sticker wasn't forged? You are far more likely to trust a brand name, or the advice of a trusted friend or associate.

A far better idea than attempting to establish centralized third parties, is to build "peer to peer" or community based rating systems such as those used by eBay or Slashdot. I doubt that "TrustWatch" or any other system can ever obtain the necessary ubiquity to be useful.

While we're near the topic, I hope nobody believes that SSL and HTTPS are the answers to online security (Sorry Verisign). As an exercise for the reader, go read this:
http://www.schneier.com/paper-pki.pdf

0 Comments:

Post a Comment

<< Home