gpgsm and expired certificates
kloecker at kde.org
Sat Nov 2 20:44:10 CET 2013
On Saturday 02 November 2013 19:48:39 Uwe Brauer wrote:
> >> "MFPA" == MFPA <expires2013 at ymail.com> writes:
> > Hi
> > On Sunday 27 October 2013 at 2:46:05 PM, in
> > <mid:8761si4vrm.fsf at mat.ucm.es>, Uwe Brauer wrote:
> > Isn't the NSA "a government based organisation?" Surely
> > guilt-by-association renders every government based organisation
> > just
> > as nefarious as the NSA.
> Your point being?
> I presume it goes like this: NSA is "a government based
> organisation" doing, among other things, violations of civil rights.
> So any other government based organisation cannot be trust, end of
> Well I just talked about a service, which provides certificates to
> its citizen. That means it signs a public/private key pair, which is
> generated by the, hopefully open source, crypto module of your
> So either you claim to have evidence that this modules have been
> hacked and the key pair is transferred to some of these evil
> organisations or I really don't see your point.
Since I had exactly the same thought as MFPA (namely that the NSA is a
goverment based organization), I'll explain my thoughts (which could be
different from MFPA's point).
You, Uwe Brauer, wrote:
> I would prefer a government based organisation which provides this
> service to its citizen (especially because of all which was lately
> revealed about the NSA)
where "this service" refers to the service a commercial, not goverment
based CA like comodo offers.
I interpreted "especially because of all which was lately revealed about
the NSA" to refer to the NSA's ability to forge certificates issued by
commercial CAs (e.g. by forcing the CAs to provide such a certificate).
Now my thinking was that the NSA (or some other country's secret agency,
e.g. the German BND) probably wouldn't have more problems to get forged
certificates if they were issued by a government based CA.
OTOH, you wrote the above in reply to Werner's
> The business model of most CAs is to sell you a subscription by
> setting the expiration time very low so that they can ask after a
> year for another fee to create a new certificate. Here it does not
> make sense to create a new private key every year.
So, your point/hope probably was that a government based CA wouldn't
have such a business model and would instead offer this service gratis
to the people (so that more people would be protected from the NSA
reading their mail). If this was your point then apparently I didn't see
it when I first read your message.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users