Trust?
Trust is on opposite side of the word Secure. More you (the internet surfers) trust your society, smaller the locks (passwords) are.
NCC Group has published a set of security standards that you'll have to follow if you want to operate a .trust website. The company owns the rights to sell dot-trusts, and uploaded the 124-page policy document [PDF] earlier this month. It provides a technical rundown covering network security to secure DNS settings, and NCC …
Nice in theory, but I can't see how this can work in the long run as they have a conflict of interest.
Nobody wants to lose a paying customer, and ultimately that's what they'd have to force themselves to do if they want to have a trusted service. With targets to meet they will ultimately be inclined to keep the customer.
Without divulging my employer, I'll simply say we we received a visit from the NCC group encouraging us to register ourcompany.trust. What the story doesn't overtly say is that you can't register a .trust simply by meeting all the rules... you must ALSO pay the NCCGroup more than $100,000 USD/year to monitor your organization to see that you are complying with their requirements.
I suggest it's a business model that's doomed to fail- ESPECIALLY if something like ".secure" is available that isn't so monopolistic in nature. Finally, the whole .trust model only works if nothing in the .trust domain is ever compromised. However, the moment something in the .trust domain *is* compromised, I no longer have reason to ".trust" the system/process/registrar (pun intended).
"r a .trust simply by meeting all the rules... you must ALSO pay the NCCGroup more than $100,000 USD/year to monitor your organization to see that you are complying with their requirements."
How interesting.
You've registered this name specifically to make the world aware of this.
How very public spirited of you.
The problem with the scenario is that, in spite of all the safeguards in place, a Trent is still needed. Thing is, as we've seen, Gene and Mallory have gotten smart and are now starting to target Trent in an attempt to subvert or impersonate Trent (think dodgy CAs). The bigger he is, the bigger the target is on his back.
I expect banks will sign up in droves.
Many are keen to address the worries that lots of their customers have about online security. $100k a year isn't even small change for them, and you can imagine the hype they will use with it to reinforce their "your security is our priority" message.
It doesn't really matter whether .trust sites are more secure or not, only that the bank customers believe that they are.
Ignoring the cost of .trust itself, the guidelines in the policy document make a LOT of sense, and they are not excessively onerous. I'd go so far as to say that every website - indeed every Internet-connected organisation - should implement them.
The trick is with auditing. Surely someone can do that for less than $100K per annum?