apache https gnupg

[Ted Byers]

I searched the above combination of keywords on
http://marc.theaimsgroup.com/   and got nothing.  I assume, then, that this
group has no messages dealing with the question of whether or not I can use
GnuPG to create certificates that I can use to support https on Apache.  

 

The more general searches I used provided lots on the details of creating
certificates and keys for use in encrypting and signing documents, but
nothing on the more specific questions of practical application.

 

I actually have a couple concerns.  One dealing with supporting HTTPS on the
Apache web server (instead of buying one from, e.g., GoDaddy - and a related
question being can I sign a web page, which may not be sent via https, so
that the user viewing it knows it has not been altered in transit) and the
other dealing with authentication of users submitting data to a web
application that lives on Apache, and similarly the authentication of folk
sending email to my server, in both cases, meaning, is the person providing
the data who he says he is.  For this second issue, it is a question of
being able to support non-repudiation (i.e. to ensure a person can't enter
data on one date and then deny he did so subsequently).

 

I have read enough to know I can use GnuPG to encrypt data on my various
machines, but I haven't yet found where to look for information dealing with
practical application in securing web applications and proving the identity
of users of those applications.  In ecommerce, for example, one of the big
risks involves customers buying a product or service and then demanding a
refund claiming he didn't buy that product or service but rather someone was
impersonating him.  I am looking to see if there is a practical application
of GnuPG to let me prove that a user is who he says he is and take that a
step further in providing  evidence that the user did, in fact, make the
purchase he now denies (i.e. non-repudiation).  I recall, when I first read
about PGP, many years ago, there was a section that talked abstractly about
non-repudiation, but now I am looking study the practicalities of applying
it in a selection of web applications (and these applications do involve use
of email, so that needs to be secured also).

 

I don't expect anyone to write a tome on this, but a few links on, first, is
it possible, and then, if so, how to deploy on Suse or Ubuntu Linux, would
be appreciated.

 

NB: I have a growing collection of tools I can use to support my efforts, so
in a sense, this is a question of whether or not I can, and should, add
GnuPG to my toolkit.

  

Cheers

 

Ted

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120710/4789bc0a/attachment.htm>