[Servercert-wg] Displaying secure sites to Internet users

Tobias S. Josefowitz tobij at opera.com
Sat Nov 16 12:18:33 MST 2019

On Fri, 15 Nov 2019, Christian Heutger via Servercert-wg wrote:

> Hi,
> Problem description is easy. The internet by design is an anonymous 
> place. But if you like to do transactions via the anonymous internet 
> (online shopping, online banking, providing privacy concerned data, ?), 
> identity would help to increase trust (and security as well, information 
> security is been based on confidentiality, integrity and availability, 
> but also authenticity, reliability, non-repudiation and accountability) 
> to be sure, to whom you transfer your data, where you place your orders, 
> where you try to login etc. Phishing is one of the strongest factor 
> here, but also to prevent from cybercrime, e.g. being on a valid website 
> of a valid company, public organization etc., which may be trustful to 
> work with (or could use the information to check, if it?s trustful in 
> your point of view). As e.g. whois data is now been hidden because of 
> GDPR and similar privacy regulations (although you couldn?t rely on, as 
> the data is not validated), it?s getting harder and harder to 
> differentiate valid and trustful sites from phishing, scam and other 
> ways of cybercrime. Phishing sites and cybercrime increase and look to 
> be reliable by being encrypted and ?secure?. Recent education of 
> companies, organisations, ? based on ?look for https? which recently was 
> a trust factor, time ago before DV, now it isn?t any more, as it lost 
> validation (authenticity) factor. That?s the problem description. You 
> need to look at noobs, not at internet professionals. You won?t be able 
> to educate them on how to check the involving quality of phishing, scam 
> (e.g. piracy sites) and cybercrime (e.g. ?copied? valid webshops), check 
> the website for any evidence of possible curiosities. It must be a 
> solution, which can be adopted by many and trained with ease. Browser 
> and platform independent.

After reading this, I would like to point out that the people, the 
individuals participating in the CABF on the behalf of the respective 
members (or as themselves as Interested Parties), are alltogether employed 
in lines of work where working with and understanding identity is very 
central to their duties.

The average web user these days is, no offense, probably not living in the 
more developed parts of the world, uses the web on their phone, quite 
possibly by speaking "[social network of choice]" into their mobile 
phone's smart assistant, and is facing challenges in their life that most 
of us could quite possibly not even begin to imagine.

It seems natural that our little group of well-fed, educated and 
successful people would look to identity as the one ring to bind all the 
problems, but honestly in the greater picture I see little reason to even 
start to assume that identity (of entities or persons) as a solution would 
not end up with all of the problems that identity of domains already 
exhibit, and then some.

Trying to find solutions in this problem space is obviously for the 
benefit of the web, internet, computing and society, even humanity. I do 
not want to discourage anyone from working on these problems, by all 
means. But I believe we have better chances of succeeding if we understand 
the sheer vastness of scope of what we are up against.


More information about the Servercert-wg mailing list