Re: pgp trust for https?

[Phillip Susi]

Nick Kew wrote: Huh? The same person who installs the cert now. It's just a different signature. And for those who want a certificate authority, have such authorities (the more the better) sign *their* PGP keys. >From whomsoever is responsible for it. Maybe even more than one individual, in the case of an org with lots of techies. I'll sign my server. Same as I'll sign an httpd tarball if I roll one for public consumption. You sign your server. Where's the problem? I don't want to get involved in something where I have nothing substantial and new to contribute. "Encourage others to trust you" is a marketing job of which I would be totally incapable. Now you seem to be talking about self signed certificates.  There are sites out there that use them, but the problem is, they provide no authentication.  Sure, they allow encrypted communications, and if you save the certificate, then you can be sure that you are connecting to the same server the next time ( preventing man in the middle attacks ) but there's nothing to prevent a man in the middle the first time.  Another example you mentioned is signing tarballs you make.  Well if your certificate is not signed by a trusted third party, such as verisign or whomever, then how am I to know that it was YOU who signed it and not some random guy claiming to be you?  Anyone can make a keypair, the signature of the CA is what authenticates it.  Any particular government? A few years ago I'd probably have agreed. With the most blatently corrupt government in living memory, that has less appeal. True, but if things are that bad then you have bigger problems to worry about.  As long as you still trust them to issue forms of paper identification, then digital ones should be no different.  Why get a paper ID from the government to show to a CA to prove you are you, so they can sign your cert, rather than just have the gov't sign it directly? Sure. I do trust my own key, and those of quite a number of other people, including, for example, most of those with whom I would expect to share an SVN repository for development work. That's the kind of application where a PGP-signed server key is a clear winner. How so?  Again, in a small group of people who know each other in real life and have a secure method of exchanting certificates, that works fine, but this breaks down when you have a larger group of people who do not know each other in real life and can swap their certs on disks when they see each other.  And when my browser indicates that I don't trust a key, I can investigate in detail by fetching the public key and its signature(s), and make whatever other checks I see fit. Exactly the same as when I download a package from the 'net. Yes... and you can do that with the x.509 certificates that are used for https/SSL, so what's pgp needed for?