[OT] Why are you using the GPG / PGP keys?

Pete Stephenson pete at heypete.com
Wed May 29 20:29:34 CEST 2013 

On 5/29/2013 8:11 PM, Johan Wevers wrote:
>> They're based in Israel, not the US.
> 
> Wether that's better, worse or just the same is another question.

Indeed.

> But they do have US offices (they list one in New York) so they're
> subject to the Patriot Act.

Do they? My understanding is that it's just a VoIP number that connects
to their Israeli offices. International calls to US numbers are often
considerably less expensive than those to, say, Israel, so that makes
some sense.

See <https://www.startssl.com/?app=27>

> There is a reason that some cloud services in Europe broadly
> advertise with the fact thay they keep absolutely no relationship
> with the US.

Indeed.

I'm not a lawyer, but I don't see how having a phone number in the US
means that the whole organization is subject to the Patriot Act.

Even if it was, I'm not really seeing the major issue here: they claim
that there are no copies made of server-generated private keys at any
stage, so they wouldn't have any secret material to turn over. Since you
can submit CSRs for locally-generated keys then there's nothing private
at all for them to reveal other than the information in the certificate,
which is already public.

If they were subject to the Patriot Act, they might be compelled to
produce a new cert for a specific hostname (though I suspect they'd just
cancel the US VoIP line if that issue came up), but how is this
different from the many other US-based CAs?

>> Additionally, it's an option to have them generate the private key for
>> customers who are too lazy to generate their own private key and CSR,
>> but it is not required: the certificate-creation procedure also allows
>> for customers to provide them with a CSR produced from a
>> customer-generated private key.
> 
> OK, I could not find that after a brief look, they did wrote about
> sending a private key with password protection over the mail.

See <https://www.startssl.com/?app=25#44>: "The wizard doesn't force
subscribers to use private keys generated by the CA, instead clicking on
Skip at the step for private key generation allows to submit a
certificate request (CSR) prepared by the subscriber. Some server
software even requires this, most notable Java based software. The
creation of the private key by the wizard is completely optional and at
the sole risk of the subscriber."

Anyway, the overall point was "WebTrust-audited and widely-trusted
certificates are available for free from StartSSL, just as inexpensive
ones are available from other CAs in various countries, so cost should
not be a factor if one wishes to have secure, public-facing systems".

Using self-signed certs is perfectly suitable for internal systems or
those used by an individual or a small number of users, but for things
requiring access by the public (who might otherwise be suspicious or
technically unwilling or unable to configure their browser/mail
client/etc. to trust a self-signed cert) it makes a lot of sense to use
a cert signed by a CA.

Cheers!
-Pete

More information about the Gnupg-users mailing list