[OT] Trusting X.509 certificate

MFPA expires2013 at ymail.com
Sun Apr 21 02:03:15 CEST 2013

Hash: SHA512


On Thursday 18 April 2013 at 11:18:39 PM, in
<mid:Pine.NEB.4.64.1304151809210.10719 at panix3.panix.com>, Jay
Sulzberger wrote:

> 1. Is the stack used for credit card use over the Net
> sufficiently "secure"? Indeed this question is ill
> defined: "secure" for what, against what?

People have used payment cards insecurely in person and over the phone
for decades. Many are even daft enough to hand over cards to be kept
behind the counter against open food/drink tabs. The currently-used
systems for card payments over the internet are certainly also
insufficiently secure. But I have no compelling reason to believe
there is more of a problem now than in times gone by, rather than just
greater awareness.

> 2. In what ways does the problem of email encryption
> differ from the problem of encrypting credit card and
> other money-valuable data in transit, with http as the
> transport protocol?

In technical terms, I haven't a clue about the differing problems. But
in my experience credit card purchases are usually secured by https,
with certificates trusted by my browser manufacturer rather than by
me. This contrasts with email encryption using GnuPG, where the
decision to trust keys is nobody's but my own.

> 3. If the stack used for credit card use over the Net
> is good enough for most purchases, could we use a
> similar stack to secure email in transit?  In
> particular, could we use a similar stack, with a
> similar ease of learning and ease of use, as perceived
> by most of the people who today buy stuff using a
> credit card over the Net?

As far as I can tell, the ease of use comes from a blind trust in
browser developers' CA choices. I put it to you that this would be an
undesirable model for securing email communications.

- --
Best regards

MFPA                    mailto:expires2013 at ymail.com

Don't learn safety rules by accident...


More information about the Gnupg-users mailing list