[standards-jig] XML Encryption

dirkx at covalent.net dirkx at covalent.net
Mon Mar 18 18:29:09 UTC 2002


On 18 Mar 2002, Thomas Muldowney wrote:

> We can't place trust in the servers, we can't place trust in a major 3rd
> party in a highly distributed system, and we can't trust the users.
...
> Where's the trust?

Trust is not absolute. In a lot of deployment worlds certain levels of
trust are enough - and do not need a corperate CA to be part of the chain.

What I am referring to is that if I get a signed message with a public key
inside it from Mr X - and I do not really know him - over time as I
communicate with him under that key - and perhaps using secondary hints
such as DNS resolving right, his web site, his email - I get a practical
enough trust relation. It is not perfect - it is good enough.

So really what I want is trust tracking and building tool. Absolutes are
not that needed.

I have the same when I walk into a shop and pay by credit card. Is the
shop real, is the guy behind the counter actually in the employ and no
imposter, can he or she be trusted, is the credid card swiping device real
? Chances are that they are real enough for me - and there is the credit
card rules of engagement to back it up.

Would I buy a house with a credit card without checking in the land
register or kadaster/cadastrale if the owner is the owner - propably not
:-)

Dw




More information about the Standards mailing list