DEF CON is an annual hacker conference where software developers, security professionals and others come together for talks and events about cracking systems. Although it is attended by many government agents, the community has a healthy contempt for government. Some past speakers have advised on how to improve your chances for privacy in light of state snooping, while others exposed government operations and propaganda.
One particularly interesting presentation was by Moxie Marlinspike, who spoke about freeing the internet from certificate authorities. The Certificate Authority program is currently used as an integral part of how web browsers create secure connections with web sites. This system is flawed because it relies on a single entity to arbitrarily decide who is trustworthy and who is not. Furthermore, it has one-size-fits-all approach that not only takes away individual choice in the present, but prevents people from choosing who to trust in the future as well. Trust, however, is not some innate quality of a person or organization that can be determined independently. Trust is a relationship between people.
Moxie’s solution is called convergence, and it works just like trust and reputation do in the real world. Instead of having a single authority who must be trusted by everyone, each individual can decide whom to trust. Furthermore, that trust is easily revoked if someone proves to be unreliable. Watch the full presentation below.
Libertarians will notice how Convergence solves the trust problem the same way a free market justice system would solve disputes between competing judicial entities. Instead of trying to build a hierarchical structure controlled by a single absolute authority, a better solution is to allow individuals to decide for themselves who they trust to resolve conflicts. In the same way, Convergence allows individuals to decide who has enough credibility to participate in online authentication.
Not only is this a better system from the perspective of correctly assigning trust, but it is also better from the perspective of privacy. The certificate authority system is riddled with security holes that allow governments to spy on ostensibly secure communications. Taking this away will help protect people from government snooping as well as regular criminals. It also has the benefit of showing people how problems can be solved without following the state model of having one arbitrary authority to resolve them. Convergence is a technological step towards a more secure internet and could also prove, in the long run, to be a mental step towards freedom from government.
The power to authenticate is in many cases the power to control, and handing all authentication power to the government is beyond all reason—Ronald L. Rivest, 1998