undefined | Better HN

0 pointsivan_gammel7mo ago0 comments

If it’s PKI and there’s verification on each stage, maybe. Just different sort of centralization. If keys are self-issued, it’s still a problem. Say, you add a new dependency from a repository XXX. A new version is released signed by another key, which appears to be legitimate. What are you going to do? Run full KYC on new credentials? Distrust the new dependency version and fork the library? Just ignore assuming that repo has verified it?

With central repo you may expect that they operate under increasingly stronger security standards and even if you missed malicious update, there’s higher chance that it was taken down by someone else. In decentralized environment your risks are higher and attention surface bigger.

0 comments

binary1327mo ago

Whence this idea that Web of Trust is an unsolved useless design that requires central certificate authorities?

The fact is that even the “canonical” CA’s can’t be automatically trusted, but here we are. CA is just one shitty implementation of WoT that has been near-universally imposed on us and most people simply accept as a necessity of life, but it isn’t necessarily the only way. It’s just how it is right now.

ivan_gammelOP7mo ago

Web of Trust is highly theoretical concept, which is unlikely to scale well for millions of people. It's a technical solution to a people problem and we barely solved this people problem already (to a few nines, but not absolutely) - through a sophisticated centralization.

j / k navigate · click thread line to collapse

0 comments

binary1327mo ago

Whence this idea that Web of Trust is an unsolved useless design that requires central certificate authorities?

ivan_gammelOP7mo ago

j / k navigate · click thread line to collapse