Matthew GarrettJul 9, 2023
Who wants a blogpost about what a root of trust actually is and why almost all existing implementations don't actually provide that trust
Show threadJames HenstridgeJul 9, 2023
@mjg59 isn't a root of trust something you trust implicitly? How could it not be trustworthy? 🙂
Show threadBen AvelingJul 9, 2023
@jamesh @mjg59 Implicitly or explicitly? Also, there's a difference between 'providing trust' and being trustworthy.
Show threadBen AvelingJul 9, 2023
@jamesh @mjg59 If we really want to be pedantic, there's also a difference between "trustworthy = perfect" and "trustworthy = good enough to be useful"
Show threadJames Henstridge

@BenAveling @mjg59 I was thinking of traditional PKI systems in particular, where a key is trusted if it is the root of trust, or signed by a key that is trusted to make signatures.

In that sense, the root of trust is trusted axiomatically.

Jul 9, 2023 at 1:47pmWeb
Show threadBen AvelingJul 9, 2023
@mjg59 @jamesh I suspect Matthew is talking about zero trust/trusted computing. Not unrelated, granted.
If PKI, then yes, the root certificate is explicitly trusted, by virtue of being put in the certificate store. That said, given that most of didn’t build our own certificate stores, the question where does trust come from still lingers.