SSL certificate web of trust feature?

[gspr]

Nice project you have going! How about adding functionality for growing an SSL certificate web of trust? Imagine going to a HTTPS site and having a browser plugin say "the certificate presented by the site is trusted by 5 of your Keybase contacts", or something like that. Anything that will help us get rid of CAs is a win in my book…

[i-rme]

I believe that this should not be added to this project, in my opinion that is task of other software. Most people trust all CAs

[gspr]

While I can agree that this might be outside the scope of the project, the fact that "most people trust all CAs" is precisely my point: they shouldn't! Why should "most people" trust "TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş." (included in Firefox by default)? I certainly have no idea who these guys are. I also have very few ways to convince myself that I should ever trust them.

[graphiclunarkid]

I believe this is one goal of the Monkeysphere project, so if Keybase chooses to implement such a feature, it would be great to consider compatibility between the two.

[zQueal]

I believe the overall scope of Keybase is the very reason why this will not be implemented. The attraction of Keybase is that users without any experience in PGP can now, with relative ease be introduced to the methodology. In the same respect, malicious parties could simply trust any given website (in large numbers) and the inexperienced would be coerced into believing that a potentially malicious website could be totally harmless.

I'll throw your own reasoning back at you; if people shouldn't trust CA's, then why should they trust the general consensus of others?

I certainly have no idea who these guys are.

You would also have no idea who the other Keybase users are (personally), so you by your own logic you shouldn't be trusting them, either.

[graphiclunarkid]

I think my trust in a site's SSL certificate would increase if I saw a message like the one @gspr suggested: "the certificate presented by the site is trusted by 5 people you track on Keybase" (emphasis added). In this way it works as a web of trust for SSL certificates and not the general consensus of a bunch of people you don't know. Maybe that would only work if you're only tracking people you know though.

Compare with: having a copy of someone's public key versus signing that key with yours. The former doesn't indicate trust but the latter does.

Hmm... what does it mean, in terms of trust, to "track" someone on keybase?

[zQueal]

the certificate presented by the site is trusted by 5 people you track on Keybase

That would change things considerably. If random users who you have no idea who they are, are trusting websites and I'm supposed to be "Okay, this person think's this website is fine, so it probably is!" is way different from "@maxtaco and @malgorithms both agree that this website is safe and trusted!"

This would put an emphasis to only track those you either personally know, or personally know of.

Hmm... what does it mean, in terms of trust, to "track" someone on keybase?

You can read much more on tracking in #100; specifically this post.

[ghost]

Most people trust all CAs

In fact I am joining this thread because the website proofer appears not to trust CACert-chained SSL certificates, and failed over to HTTP.

[maxtaco]

@talexand At this point, it's likely a bug in your setup, but it could still be a bug in ours. What's the hostname?

[ghost]

hitono.info

SHA1 fingerprint of cert: EA:37:C1:CD:39:2A:AC:D8:ED:F7:46:54:CC:1D:F8:09:15:6C:F2:69

[maxtaco]

There's no A record for hitono.info, but I did find one for www.hitono.info. Visiting https://www.hitono.info in Chrome, Firefox and Safari gives me an SSL cert warning. Our proof checker is failing for the same reason(s).

[ghost]

Sorry, I should have added the www prefix.

As I understand it, CACert hasn't complied with major browser root CA inclusion policies, but has a root included in OpenBSD, for example. Thus, importing the CACert root into your local machine solves the cert warning problem with my domain.

Is Keybase planning to rely on browser standards for site verification in general, or will there be a workaround/WoT addon (to stay on thread topic)?

[maxtaco]

Oh sorry, I missed the CACert part above. This has come up in the past, and so far we haven't included CAcert.

We're not planning any changes here in the near-future. Probably we'll be adding more proof types (FB,Reddit,BitBucket, etc...) first. It's a pretty small set of users who use CACert and the current workaround is just to fallback to HTTP or DNS.

[ghost]

DNS record sounds like an okay workaround. Thanks.