gpgsm and expired certificates

Ingo Klöcker kloecker at kde.org
Sat Nov 2 20:44:10 CET 2013 

On Saturday 02 November 2013 19:48:39 Uwe Brauer wrote:
> >> "MFPA" == MFPA  <expires2013 at ymail.com> writes:
>    > Hi
>    > On Sunday 27 October 2013 at 2:46:05 PM, in
>    > <mid:8761si4vrm.fsf at mat.ucm.es>, Uwe Brauer wrote:
>    > 
>    > Isn't the NSA "a government based organisation?" Surely
>    > guilt-by-association renders every government based organisation
>    > just
>    > as nefarious as the NSA.
> 
> Your point being?
> 
> I presume it goes like this: NSA is  "a government based
> organisation" doing, among other things, violations of civil rights.
> 
> So any other government based organisation cannot be trust, end of
> argument.
> 
> Well I just talked  about a service, which provides certificates to
> its citizen. That means it signs a public/private key pair, which is
> generated by the, hopefully open source, crypto module of your
> browser.
> 
> So either you claim to have evidence that this modules have been
> hacked and the key pair is transferred to some of these evil
> organisations or I really don't see your point.

Since I had exactly the same thought as MFPA (namely that the NSA is a 
goverment based organization), I'll explain my thoughts (which could be 
different from MFPA's point).

You, Uwe Brauer, wrote:
> I would prefer a government based organisation which provides this
> service to its citizen (especially because of all which was lately
> revealed about the NSA)

where "this service" refers to the service a commercial, not goverment 
based CA like comodo offers.

I interpreted "especially because of all which was lately revealed about 
the NSA" to refer to the NSA's ability to forge certificates issued by 
commercial CAs (e.g. by forcing the CAs to provide such a certificate). 
Now my thinking was that the NSA (or some other country's secret agency, 
e.g. the German BND) probably wouldn't have more problems to get forged 
certificates if they were issued by a government based CA.

OTOH, you wrote the above in reply to Werner's
> The business model of most CAs is to sell you a subscription by
> setting the expiration time very low so that they can ask after a
> year for another fee to create a new certificate.  Here it does not
> make sense to create a new private key every year.

So, your point/hope probably was that a government based CA wouldn't 
have such a business model and would instead offer this service gratis 
to the people (so that more people would be protected from the NSA 
reading their mail). If this was your point then apparently I didn't see 
it when I first read your message.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131102/dbb8754f/attachment.sig>

More information about the Gnupg-users mailing list