BayMOO Security Authority

Your communication with this web-server is currently unencrypted. Before you begin SSL communications, we would like to visit the concept of trust.

Trust

If you have ever traveled by plane or bus, you have probably spent some time in close quarters with total strangers. Your interaction with them can be lively, or even nonexistant. You could learn something new, or become the victim of a confidence crime. But complete strangers rarely remain so for very long.

What's strange about a stranger?

After we spend time with strangers, they become familiar, and sometimes even friends. During this time we are conciously (or subconciously) gathering details about the stranger that we later use to establish trust. But before we can establish trust through these details, we have to establish trust in the details themselves. How does that happen?

Can you trust your eyes?

When you were born your brain had to create and establish pathways to your sense organs. After that, it had to determine just how the signals from these organs had any relevence to your future safety and comfort -- it had to learn to trust what it saw. Of course, if we were all born perfectly paranoid it would be impossible to build even this basic level of trust. After all, how could we trust that our pathways hadn't been tampered with? What would make us establish these pathways in the first place? The answer lies in the concept and in this case, the genetic representation, of the unverifiable level 0 trust entity.

Can you trust your brain?

In the brain system we described above, something unrevokable made it possible to build a trust model. In humans and other mammals this unrevokable instinct is encoded in our genes. If we have no trust in the functioning of our minds, we have no trust at all. (Paranoid schizophrenia, in which an individual believes his or her own mind to be untrustworthy, is one such example of a broken trust model).

But if you have faith in your level 0 trust entity, an infinite number of relations can be built: With your eyes you can monitor the behavior of a stranger. With behavior you can derive trustworthiness. With trustworthiness you can make a friendship. With a friendship you can share trust: Was this movie good? Is that car safe and reliable? This kind of trust ultimately affects our safety and comfort. These are the concepts that we use to describe theoretical trust.

If the world is flat, what holds it up?

In the school of thought that envisions the world sitting on the back of a giant turtle, it is left up to God to worry about what the turtle stands on. In the realm of theoretical trust on which SSL is based, we leave our faith in certificate authorities. In your web browser is encoded a database of signatures of trusted certificate authorities. At one level or another these authorities have promised the maker of your web browser that they will take on the legal responsiblity of keeping track of the whereabouts of anyone who holds a certificate with their signature.

Certificates and identity

To make authentication (and ultimately security) possible, SSL relies on theoretical trust to operate. At the establishment of an SSL session at least one party reveals an electronic certificate of identity to the other. If either side feels that the identity of the other party is not authentic, it can choose to disconnect.

When you visit an SSL-enhanced website, both the website and your browser may choose to exchange electronic certificates. Under most cases, only the website provides a certificate and the browser is allowed to remain anonymous. But most web-browsers are programmed to critically analyze the identity of a website by consulting the browser's built-in level 0 authorities. If the certificate displayed by the website does not have any certification seals matching those of the browser's built-in authorities, the browser will ask you what to do.

Below is a link which establishes SSL communications with this website. In setting up this research project, we did not obtain a certificate seal from any of the recognized authorities, and consequently, your browser will notify you of this fact. However, most browsers recognize that the decision to communicate with a site doesn't necessarily have to be based on the legal requirements previously outlined. This site is one of those cases. By accepting this site as authentic, you are merely telling your browser "hey, it's ok. I don't know where this site has been, but I don't have to loan it my car either."

I'm ready!

If after reading all of the above text, you feel confident enough to continue, (and you should!), you are ready to enter the BayMOO Security Authority project.


Email: jeremy, at baymoo "dot" org