Hacker News new | ask | show | jobs
by XorNot 440 days ago
The anti-establishment fervor of open source crypto developers is the reason this is a problem though.

Most people, for most things, don't need to verify trust outside of normal government channels.

i.e. any business I correspond with, trust is via the government that they are a business bound by the relevant legal system I live in.

Same story with communicating with basically anyone: if their GPG key was signed by the common government key, then hey, good enough for anyone.

The problem is...we don't have the infrastructure for any of this. And GPG key servers are inadequate for maintaining suitable privacy for people if they were used at this scale.

But we certainly could provide the means by existing technologies: e.g. nothing stops us making drivers licenses and other forms of ID smart cards.
1 comments
solardev 440 days ago
It depends a lot on the government in question too. In the US very few people would trust the government to handle something like this. The certificate authority system is run by big tech companies and nonprofits, for example, not the government.

Trusting the government as a peer makes sense for government sites, but for anything else, it just makes censorship way too easy.

Even among businesses, we normally trust the middleman (the credit card issuer, and their protections and chargebacks) over the government. If a business screws over a regular consumer, the government isn't really going to do anything.

Maybe you have a more civilized society and functional government where you live. We don't.

link
XorNot 440 days ago
You've just listed out a bunch of alternate trust roots which, with appropriate infrastructure, could also easily provide practically secured E2E communications which would be adequate for real world use.

The point isn't "trust the government" the point is trust is contextual and the notion of "key signing parties" always missed it (and if you actually go and read up on the concept, government ID documents were considered to be something to ground whether a signature should be issued by someone so it was already baked into the system anyway).

link
solardev 440 days ago
Well, I think that's actually the point, no? This was never a technical challenge (not for a few decades, anyway), but a question of which authority to trust.

Companies rolled their own out of a commercial need. The FOSS community didn't trust the government or big companies so never fully solved the problem. Users just don't care.

link