On Saturday 05 November 2005 23:28, Phillip Susi wrote: > The big reason that comes to my mind is that users don't want to have to > implicitly trust the server from the start, then register on the site by > uploading their own key before secure communications can begin.
Why would anyone have to do that? I'll trust a server as much as I trust the PGP key of the person who signed it. That's the same as trusting an httpd download because it's signed by someone whose key I trust. > The big advantage of a public certificate infrastructure is that the > rest of us can trust someone we have never met before ( i.e. an https > server you have never visited before ) because they present us with a > certificate that is signed by a trusted third party. It's usually signed by verispam, who make a habit of engaging in some very nasty business practices, from spamming to holding the 'net to ransom. They also bought the main competitor (thawte), leaving us short of competition amongst those widely recognised by browsers. With PGP it's my own trust, not theirs. > Personally, I don't understand the need for pgp. You can sign and > encrypt email or IPsec just fine using x.509 certificates. I seldom use pgp for email (and I hate it when people sign messages posted to a list like this). But I always use it to verify software I download from the 'net. And, unlike https, it tells me every time whether or not *I* trust the digital signature. -- Nick Kew
