httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Susi <>
Subject Re: pgp trust for https?
Date Sat, 05 Nov 2005 23:28:51 GMT
The big reason that comes to my mind is that users don't want to have to 
implicitly trust the server from the start, then register on the site by 
uploading their own key before secure communications can begin. 

The big advantage of a public certificate infrastructure is that the 
rest of us can trust someone we have never met before ( i.e. an https 
server you have never visited before ) because they present us with a 
certificate that is signed by a trusted third party.  The server proves 
to the client that it is who it says it is, and the client can 
optionally prove its identity to the server with a client certificate.  
Either one allows all communications to be encrypted and you don't have 
to exchange private information first to do it. 

Personally, I don't understand the need for pgp.  You can sign and 
encrypt email or IPsec just fine using x.509 certificates. 

Nick Kew wrote:

>We have grown accustomed to two separate trust mechanisms
>on the 'net; server certs signed by some authority, or the PGP
>web of trust.
>I would like to be able to use PGP trust over the web.  That would
>mean (something like) installing a certificate on the server, and
>signing it with my PGP key.  My browser, having access to and
>trust in, my public key, will then trust the server.  No need for
>any dealings with verispam.
>Is there any technical reason this shouldn't happen?

View raw message