Security without trust

Can we really have security without trusting someone or something?

I came to think about that the other day when trying to improve a server backed desktop application authenticating itself through a third party by popping upp a web browser showing the third party login form. As there are no really good web browser components for Java that you can use without too much hassle I was thinking about doing a Swing form which would post the information to a web page over SSL.

The suggestion was considered insecure and was rejected. When I thought about it I came to the conclusion that this was a matter of trust or should I say distrust. Why was such a solution less secure than popping up a web browser transmitting the same sensitive information? For some reason the third party felt more secure if the information was handled by a random web component from any developer than from a Swing solution by me.

It is all a matter of trust and to have security you must trust someone. When you go to a secure web page you must trust Thawte or Verisign, or whatever certificate authority has issued their security certificate, has done a good job validating the certificate owners identity. Whenever you register on a web page you trust that the site will keep your information secure.

Security is a matter of trust. Who do you trust?