multiple subkeys and key transition
Robert J. Hansen
rjh at sixdemonbag.org
Sun Dec 12 03:15:50 CET 2010
On 12/11/2010 6:22 PM, MFPA wrote:
> A question on the subject of SSL/TLS certificates and HTTPS: often
> there is no user requirement to "authenticate" the identity of the
> server, but rather a simple requirement to prevent snooping; why does
> this need a certificate?
Otherwise the snooper could just use a MitM and you'd be none the wiser.
When you visit Amazon.com, both you and Amazon need some way to ensure
you're talking to the real McCoy. Amazon authenticates you by having
you provide a username and password. You authenticate Amazon by
checking their SSL cert and seeing that it was issued by a trusted
authority.
If you didn't check the SSL cert, I could provide a self-signed SSL
cert, have you accept it, and then do a MitM on your connection. Next
thing you know, you've paid for all my Christmas shopping...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101211/96054a4b/attachment.bin>
More information about the Gnupg-users
mailing list