Den 11 mar 2014 20:42 skrev "Gregory Maxwell" <[email protected]>: > > On Tue, Mar 11, 2014 at 12:37 PM, Patrick Schleizer > <[email protected]> wrote: > > Natanael: > >> It would probably be as easy as using SSL with a "null cipher" with > >> authentication like poly1305. > > > > I preferred to sign the source files on my local hdd using a tool that > > internally uses gpg. That way the SSL CA's wouldn't have any power over > > it, neither the web server. > > > > If we were to rely on web servers / SSL CA's for this, I wouldn’t see > > the benefit in signing http. > > Please be very careful not to conflate signatures and authentication. > > SSL and null cipher with auth would provide authentication but not signatures. > > Signatures provide non-reputation, which is very useful in some > contexts, and somewhat harmful in others. > > There are applications where non-reputation of web-page data would be > quite useful. Esp if it can be extracted from inside the encryption. > > I'm mostly drawing a blank on why you'd want authentication without > encryption, however, encryption is cheap.
Usually the reason for authentication without encryption is caching, like for popular YouTube videos or maybe software upgrades from a repository. Also, there's no reason to complain about CA:s in this context either, simply for the reason that Monkeysphere exists. You can use GPG already, plugged in to replace the standard certificates and authentication. There's a browser plugin for it, and a tool to use it with SSH, and more. Then you can set up your own trust system and have your authenticated unencrypted connection.
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
