httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Susi <>
Subject Re: pgp trust for https?
Date Mon, 07 Nov 2005 01:09:00 GMT
Nick Kew wrote:

>Huh?  The same person who installs the cert now.  It's just a different
>signature.  And for those who want a certificate authority, have such
>authorities (the more the better) sign *their* PGP keys.
>>From whomsoever is responsible for it.  Maybe even more than one
>individual, in the case of an org with lots of techies.
>I'll sign my server.  Same as I'll sign an httpd tarball if I roll one
>for public consumption.  You sign your server.  Where's the problem?
>I don't want to get involved in something where I have nothing substantial
>and new to contribute.  "Encourage others to trust you" is a marketing
>job of which I would be totally incapable.

Now you seem to be talking about self signed certificates.  There are 
sites out there that use them, but the problem is, they provide no 
authentication.  Sure, they allow encrypted communications, and if you 
save the certificate, then you can be sure that you are connecting to 
the same server the next time ( preventing man in the middle attacks ) 
but there's nothing to prevent a man in the middle the first time. 

Another example you mentioned is signing tarballs you make.  Well if 
your certificate is not signed by a trusted third party, such as 
verisign or whomever, then how am I to know that it was YOU who signed 
it and not some random guy claiming to be you?  Anyone can make a 
keypair, the signature of the CA is what authenticates it. 

>Any particular government?  A few years ago I'd probably have agreed.
>With the most blatently corrupt government in living memory, that has
>less appeal.

True, but if things are that bad then you have bigger problems to worry 
about.  As long as you still trust them to issue forms of paper 
identification, then digital ones should be no different.  Why get a 
paper ID from the government to show to a CA to prove you are you, so 
they can sign your cert, rather than just have the gov't sign it directly?

>Sure.  I do trust my own key, and those of quite a number of other people,
>including, for example, most of those with whom I would expect to share
>an SVN repository for development work.  That's the kind of application
>where a PGP-signed server key is a clear winner.

How so?  Again, in a small group of people who know each other in real 
life and have a secure method of exchanting certificates, that works 
fine, but this breaks down when you have a larger group of people who do 
not know each other in real life and can swap their certs on disks when 
they see each other. 

>And when my browser indicates that I don't trust a key, I can investigate
>in detail by fetching the public key and its signature(s), and make whatever
>other checks I see fit.  Exactly the same as when I download a package
>from the 'net.
Yes... and you can do that with the x.509 certificates that are used for 
https/SSL, so what's pgp needed for?

View raw message