Questions about OpenPGP best practices

Peter Lebbing peter at digitalbrains.com
Tue Feb 26 11:19:14 CET 2013


On 26/02/13 07:43, Doug Barton wrote:
> That worked for me, although I was a bit disappointed that placing the cert at
> /etc/ssl/certs/ca.hkps.pool.sks-keyservers.net.cert didn't work like all the
> docs said it should.

Please realise that if it would have worked, you would have installed that
sks-keyservers certificate authority as a system-wide certificate authority, and
your browser and other programs might[1] happily accept a certificate for your
e-mail provider or your banking site created and signed by the sks-keyservers CA.

In other words, trusting a certificate authority is currently an all-or-nothing
thing where you now trust them to certify any SSL-protected service you connect to.

While I appreciate the sks-keyservers folk, I would never install their CA as a
system-wide CA. Actually, I already distrust "proper" CA's :).

Peter.

[1] I say "might" because those programs could have their own list of CA's and
not use the system-wide one. Like Firefox and Thunderbird.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list