openPGP vs x509
atom-gpg at suspicious.org
Wed Apr 7 08:42:40 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
> Check CACert.org.
it's still based on the x509 PKI (trust us: single point of failure),
which i don't like as much as the openPGP PKI (web of trust: tunable to
the paranoia and needs of the end user).
it doesn't seem hard (in theory) to implement a (user-friendly!) openPGP
type of PKI into web browsers... one could import PGP keys into their
browser (or just leave the default verisign/thawte/etc keys), assign
levels of trust to those keys, and assuming that the user-defined (or
default) trust settings are met, everything proceeds as normal... except
of course that one's PGP key could be used to sign a web site's
certificate and "trust" doesn't have to be issued from a central point.
really, it could be done in a way that's invisible to the 99% of end users
who don't know or care about crypto/keys/certs (like it is now), but could
open a lot of possibilities for people who want to hack around and
experiment, and not rely on a single point of failure.
of course, there'd still be a need for CAs: some web sites will still
prefer to buy their "trust" from a "trusted" source, rather than enter
into a "web" of trust (corporate mentality)... and those are the companies
that don't mind paying the verisign tax.
PGP key - http://atom.smasher.org/pgp.txt
3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
"There can be no greater good than the quest for peace,
and no finer purpose than the preservation of freedom."
-- U.S. President Ronald Reagan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures
-----END PGP SIGNATURE-----
More information about the Gnupg-users