Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 97808 invoked from network); 6 Nov 2005 21:42:41 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 6 Nov 2005 21:42:41 -0000 Received: (qmail 79544 invoked by uid 500); 6 Nov 2005 21:42:38 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 79202 invoked by uid 500); 6 Nov 2005 21:42:36 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 79191 invoked by uid 99); 6 Nov 2005 21:42:36 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 06 Nov 2005 13:42:35 -0800 X-ASF-Spam-Status: No, hits=1.4 required=10.0 tests=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_WHOIS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of psusi@cfl.rr.com designates 65.32.5.134 as permitted sender) Received: from [65.32.5.134] (HELO ms-smtp-04.tampabay.rr.com) (65.32.5.134) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 06 Nov 2005 13:42:29 -0800 Received: from [192.168.1.8] (103.202.33.65.cfl.res.rr.com [65.33.202.103]) by ms-smtp-04.tampabay.rr.com (8.12.10/8.12.7) with ESMTP id jA6LgAah000999 for ; Sun, 6 Nov 2005 16:42:12 -0500 (EST) Message-ID: <436E78A0.6050400@cfl.rr.com> Date: Sun, 06 Nov 2005 16:41:52 -0500 From: Phillip Susi User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051010) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: pgp trust for https? References: <200511051117.54944.nick@webthing.com> <436D4033.3080202@cfl.rr.com> <200511060002.11356.nick@webthing.com> In-Reply-To: <200511060002.11356.nick@webthing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Nick Kew wrote: >Why would anyone have to do that? I'll trust a server as much as I trust >the PGP key of the person who signed it. That's the same as trusting >an httpd download because it's signed by someone whose key I trust. > > > The question then is who is going to sign? You seem to be sugesting that a server accept signatures from anyone and everyone, and you would only trust the server if someone that you know and trust had already decided to trust the server and sign their certificate. That still leaves you in a position of either deciding to implicitly trust the site and sign it's certificate, which then causes all of your friends to trust it, or trusting the opinion of your friend who already decided ( based on what exactly? ) to trust the site and sign their cert. That doesn't provide much in the way of security, and is impossible to maintain -- a site can't accept a million signatures on their certificate from everyone who feels like signing it. >It's usually signed by verispam, who make a habit of engaging in some >very nasty business practices, from spamming to holding the 'net to >ransom. They also bought the main competitor (thawte), leaving us >short of competition amongst those widely recognised by browsers. > >With PGP it's my own trust, not theirs. > > > You are quite free to set up your own root CA and encorage others to trust you. You are also free to decide to NOT trust certificates signed by verispam. Personally, I feel this role belongs in the government. That's where you get your birth certificate, driver's license, social security card, and other forms of 'official' ID. They may as well get rid of all the paper ID and just start issuing digital certificates. >I seldom use pgp for email (and I hate it when people sign messages >posted to a list like this). But I always use it to verify software I >download from the 'net. And, unlike https, it tells me every time >whether or not *I* trust the digital signature. > > > > How do you decide that such a signature is trustworthy and valid? You either have to know about their public key a priori, or know ( and trust ) another one that signed theirs, otherwise, you're just guessing that you can trust it.