Hacker News new | ask | show | jobs
by loudmax 681 days ago
Cryptography lets you certify attestation. So an organization can certify that an image is legitimate, and you can cryptographically verify that this organization has indeed certified that this is a legit image.

That's it. It doesn't verify that the image itself is real, only that some organization has put their stamp of approval on the image. You can verify that the image wasn't tampered with between when they approved of it and it got to you, but you can't verify that the image was real to begin with.

On principle, you could build a chain of certification into the camera itself but this strikes me as a losing battle because you could just stage whatever you want in front of the camera.

The impetus then is on organizations to build that trust.
2 comments
unshavedyak 681 days ago
My question is how would those stamps exist in the first place? Is the idea that Canon or w/e will ship their physical cameras with keys, and sign those images with the keys. Now when you go to look at an image it'll be verified Canon, or w/e.

In that world wouldn't keys leak pretty easily? The key exists on the device. Is there a way this sort of stuff is actually viable? Or do i have the model entirely wrong?

link
loudmax 681 days ago
You're right, hardware keys will leak. The idea is not to put trust into hardware, but to put trust into organizations.

Some photographer gives images to a news organization, and they take the photographer's word for it that these images are real before they sign and redistribute them. They trust the reporter, and you trust the organization. Or if the reporter has built enough credibility, they can vouch for the images themselves and you can trust them directly.

Cryptography allows you to verify that this reporter or organization attests that the images are what they claim. It doesn't allow you to verify whether the organization is worthy of your trust.

Either way, the system relies on being able to trust people, not things.

link
JohnFen 681 days ago
> The impetus then is on organizations to build that trust.

And that's where it all falls apart.

link