httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Susi <>
Subject Re: pgp trust for https?
Date Sun, 06 Nov 2005 21:41:52 GMT
Nick Kew wrote:

>Why would anyone have to do that?  I'll trust a server as much as I trust
>the PGP key of the person who signed it.  That's the same as trusting
>an httpd download because it's signed by someone whose key I trust.

The question then is who is going to sign?  You seem to be sugesting 
that a server accept signatures from anyone and everyone, and you would 
only trust the server if someone that you know and trust had already 
decided to trust the server and sign their certificate.  That still 
leaves you in a position of either deciding to implicitly trust the site 
and sign it's certificate, which then causes all of your friends to 
trust it, or trusting the opinion of your friend who already decided ( 
based on what exactly? ) to trust the site and sign their cert. 

That doesn't provide much in the way of security, and is impossible to 
maintain -- a site can't accept a million signatures on their 
certificate from everyone who feels like signing it. 

>It's usually signed by verispam, who make a habit of engaging in some
>very nasty business practices, from spamming to holding the 'net to
>ransom.  They also bought the main competitor (thawte), leaving us
>short of competition amongst those widely recognised by browsers.
>With PGP it's my own trust, not theirs.

You are quite free to set up your own root CA and encorage others to 
trust you.  You are also free to decide to NOT trust certificates signed 
by verispam.  Personally, I feel this role belongs in the government.  
That's where you get your birth certificate, driver's license, social 
security card, and other forms of 'official' ID.  They may as well get 
rid of all the paper ID and just start issuing digital certificates. 

>I seldom use pgp for email (and I hate it when people sign messages
>posted to a list like this).  But I always use it to verify software I 
>download from the 'net.  And, unlike https, it tells me every time
>whether or not *I* trust the digital signature.

How do you decide that such a signature is trustworthy and valid?  You 
either have to know about their public key a priori, or know ( and trust 
) another one that signed theirs, otherwise, you're just guessing that 
you can trust it. 

View raw message