On Sunday 06 November 2005 21:41, Phillip Susi wrote: > Nick Kew wrote: > >Why would anyone have to do that? I'll trust a server as much as I trust > >the PGP key of the person who signed it. That's the same as trusting > >an httpd download because it's signed by someone whose key I trust. > > The question then is who is going to sign?
Huh? The same person who installs the cert now. It's just a different signature. And for those who want a certificate authority, have such authorities (the more the better) sign *their* PGP keys. > You seem to be sugesting > that a server accept signatures from anyone and everyone, From whomsoever is responsible for it. Maybe even more than one individual, in the case of an org with lots of techies. > and you would > only trust the server if someone that you know and trust had already > decided to trust the server and sign their certificate. That still > leaves you in a position of either deciding to implicitly trust the site > and sign it's certificate, which then causes all of your friends to > trust it, or trusting the opinion of your friend who already decided ( > based on what exactly? ) to trust the site and sign their cert. I'll sign my server. Same as I'll sign an httpd tarball if I roll one for public consumption. You sign your server. Where's the problem? > >It's usually signed by verispam, who make a habit of engaging in some > >very nasty business practices, from spamming to holding the 'net to > >ransom. They also bought the main competitor (thawte), leaving us > >short of competition amongst those widely recognised by browsers. > > > >With PGP it's my own trust, not theirs. > > You are quite free to set up your own root CA and encorage others to > trust you. I don't want to get involved in something where I have nothing substantial and new to contribute. "Encourage others to trust you" is a marketing job of which I would be totally incapable. > You are also free to decide to NOT trust certificates signed > by verispam. Personally, I feel this role belongs in the government. > That's where you get your birth certificate, driver's license, social > security card, and other forms of 'official' ID. They may as well get > rid of all the paper ID and just start issuing digital certificates. Any particular government? A few years ago I'd probably have agreed. With the most blatently corrupt government in living memory, that has less appeal. > >I seldom use pgp for email (and I hate it when people sign messages > >posted to a list like this). But I always use it to verify software I > >download from the 'net. And, unlike https, it tells me every time > >whether or not *I* trust the digital signature. > > How do you decide that such a signature is trustworthy and valid? You > either have to know about their public key a priori, or know ( and trust > ) another one that signed theirs, otherwise, you're just guessing that > you can trust it. Sure. I do trust my own key, and those of quite a number of other people, including, for example, most of those with whom I would expect to share an SVN repository for development work. That's the kind of application where a PGP-signed server key is a clear winner. And when my browser indicates that I don't trust a key, I can investigate in detail by fetching the public key and its signature(s), and make whatever other checks I see fit. Exactly the same as when I download a package from the 'net. -- Nick Kew
