httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <>
Subject Re: pgp trust for https?
Date Tue, 08 Nov 2005 12:41:00 GMT
On Tue, Nov 08, 2005 at 12:02:03PM +0000, Brian Candler wrote:
> The attacker doesn't have your private key, so they would create their own
> key pair. As a result, the connecting client would see a *different* key
> than the one they would see if they connect to your server directly. The
> problem is, they have no way of telling which key is the one which belongs
> to you, and which one is the one which belongs to the attacker.

Like many here; I've met Nick, and he gave me his key details in person.
That makes me plenty insulated from a man in the middle attack. That's
how PGP works.

> If the client knows you personally, they can phone you up and ask for you to
> read the key fingerprint over the phone, or fax it to them. That doesn't
> scale very well.

No, but it is a lot closer to an actual trust relationship. Trust
doesn't scale. I mean, how many people do you trust?

> So generally the client has to rely on a third-party to sign the key;

That's the part a lot of us don't consider trustworthy.

Colm MacCárthaigh                        Public Key:

View raw message