From: Nadav Har'El (nyh_at_nonexisting.hamakor.org.il)
Date: Sun 23 Feb 2003 - 18:31:55 IST
On Sun, Feb 23, 2003, Ira Abramov wrote about "Re: From the News...":
> Quoting Nadav Har'El, from the post of Sun, 23 Feb:
> > I assume the current signature hoopla refers to PKI, not PGP.
>
> "a PKI" is a generic name for a system, pgp is one example of which.
You may be technically right, but in reality "PKI" is normally used only to
talk about one thing: The X.509 Public Key Infrastructure. Try looking for
"PKI" books in Amazon, and see what they talk about.
GPG is indeed an "infrastructure", and deals with "public keys",
but I never heard anyone calling it "PKI".
In any case, the name wasn't my point. My point was that the articles are
probably talking about X.509 PKI, a hierarchical system, not about PGP.
> trust is not an option, it just implies that you can trust more CAs of
> your choice. I see no reason why SSL should not be used as a web of
> trust if people chose to implement it that way. If I can choose in a
The encryption and signing algorithms in SSL and GPG are theoretically
equivalent. What is different is the file formats (this difference can be
by an extra layer of software), but more importantly by a mode of operation.
SSL clients by default have only a small number of recognized CAs (certificate
authorities), e.g., verisign. I dare you configure Internet Explorer to work
in a "web of trust" model. Or the other way around - gpg can be made
"hierarchical" if several important people start signing thousands of
people. But where do you get those signer's keys? GPG software is does not
currently do this for you.
>
> technologicly it's possible, but web browsers today bow to a standard
> that is created for maximum financial gains for the CA monopolies.
And this is exactly why the Israeli CAs will also convince the government
that their solution is "better"!
> not true. I use SSL with unsigned certificates all the time. the browser
> may send warnings, but the link is secured.
Encrypted, but not secured - it is not protected against man-in-the-middle
attacks because of the lack of authentication!
It is probably better than nothing (stopping casual evesdropping) but
worthless against determined and sophisticated intruders.
-- Nadav Har'El | Sunday, Feb 23 2003, 22 Adar I 5763 nyh_at_math.technion.ac.il |----------------------------------------- Phone: +972-53-245868, ICQ 13349191 |The message above is just this http://nadav.harel.org.il |signature's way of propagating itself. ================================================================= To unsubscribe, send mail to linux-il-request_at_linux.org.il with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail linux-il-request_at_linux.org.il
This archive was generated by hypermail 2.1.7 : Mon 06 Oct 2003 - 23:44:22 IST