httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Djalaliev <>
Subject Re: pgp trust for https?
Date Sun, 06 Nov 2005 22:31:13 GMT
It is a little unclear to me about the combination of security and
efficiency that we can achieve by using PGP keys and the web-of-trust on the
web. Imagine connecting to you bank or online stock broker. If they would
certify themselves using PGP certificates, they will need to have a large
number of certificates in order for their clients to trust their identity.
Verifying their identity exclusively is just too important to depend on "the
word of mouth", which is in a way what the web-of-trust gives us.

I am not familiar with the the business practices of CA's, but I can imagine
how they could get by with having nasty business practices. However, imagine
youself being a big bank. Would rather have to deal with a web of trust and
possible thousands or more certificates, or would you pay a flat fee to a
certifying authority?

Along these lines, I agree with Phillip that the government should be a
certificate authority. They do identity, adress, etc. checks when they issue
documents anyway. Issuing a certificate with your public key can just be
another service that they can provide. This can solve the problem of the
unfair business practices used by certifying authorities.

However, I really think that PGP and the web-of-trust has applicability and
usefulness for web sites. For a smaller web site, obtaining a certificate of
sufficient level is quite hard and expensive. These websites usually end up
running their own CA-s. If we can replace all these "rogue" certificate
authorities by using PGP and the web-of-trust, maybe we can achieve a better
security model.

What do you think?


View raw message