On Mon, Mar 06, 2000 at 02:10:42PM -0800, EKR wrote:
> Karl Denninger <[EMAIL PROTECTED]> writes:
> > Well, I understand that, but it seems that people (including Thawte,
> > Microslug and Nutscrape) are missing the point.
> >
> > There are to separate things that secure web servers do.
> >
> > 1. Authenticate who you're talking to, so that when you engage in
> > commerce you have some indication that the merchant you think you're
> > dealing with is really who you're dealing with.
> >
> > 2. Encrypt the data so that it cannot be intercepted between the
> > sending and receiving machines.
> >
> > These are NOT the same function, and needing one of them does not imply
> > needing the other.
> This is incorrect.
>
> Without authentication of the merchant's identity, you're subject to
> a variety of active attacks where the attacker substitutes his
> key for the merchant's. You can only have encryption without
> endpoint authentication if your threat model does not include
> active attack.
>
> > Yet, in today's world, you cannot have one without the other, which means
> > that to get EITHER you must pay someone.
> >
> > Contrast this with PGP for email, in which I can publish a public key and
> > once you obtain it you're able to receive an encrypted communication from
> > me and decode the traffic. My generation of that key pair does not require
> > that it be "certified" by any third party.
> The generation, no. However, in order for people sending you mail
> to be sure that they are not subject to active key substitution
> attacks, they key pair does need to be securely bound to the
> recipient. Unless you're prepared to exchange keys with all of your
> correcpondents out of band, you do need third party key certification.
> PGP accomplishes this using key signing rather than certificates
> per se, but it's an analagous concept.
Understood.
However, the concept that a PERSON needs to pay upwards of $100 to get a key
by which they can have a SSL connection work from a web server is insane.
Why are there no public CAs - much like the public keyrings for PGP?
Why does Nutscrape and Microslug only ship with COMMERCIAL, and EXPENSIVE,
CAs loaded?
--
--
Karl Denninger ([EMAIL PROTECTED]) Web: http://childrens-justice.org
Isn't it time we started putting KIDS first? See the above URL for
a plan to do exactly that!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
