I don't understand much about CAs, but I know what paypal does: you paste your public key (while being logged in via ssl, of course) and THEY sign it for you. They also show you a "key id" string (don't remember exact name) that you should include inside the encrypted request (probably against a case where the key gets compromised, but not the app's config). The user/password auth pop3 has seems equivalent to that (at least to me).
PR-wise (e.g. if there's a petition), maybe it's easier to explain this to laypeople (like me) along the lines of: "we want google to do what paypal does, but google says: privacy-via-bureaucracy or no privacy at all" and only in the fine-print dive into the way CAs work. Just a thought. On Tue, Dec 18, 2012 at 8:18 AM, James A. Donald <[email protected]> wrote: > On 2012-12-18 1:25 AM, CodesInChaos wrote: > > One could require the user to specify/confirm a certificate fingerprint on > gmail in such a case. That way you're MitM proof, even with a self signed > certificate. > > > Who is the real you? Well, obviously the you that knows the gmail > password. > > Therefore, password should no be communicated in the clear. Gmail should > not care whether you have a validly signed certificate, but you should care > whether gmail has a validly signed certificate, and that it has the usual > signature. > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography > >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
