On Friday, September 06, 2013 19:50:28 Melinda Shore wrote:
On 9/6/13 7:45 PM, Scott Kitterman wrote:
They have different problems, but are inherently less reliable than web of
trust GPG signing. It doesn't scale well, but when done in a defined
context for defined purposes it works quite well. With external CAs you
never know what you get.
Vast numbers of bits can be and have been spent on the problems
with PKI and on vulnerabilities around CAs (and the trust model).
I am not arguing that PKI is awesome. What I *am* arguing is that
the semantics of the trust assertions are pretty well-understood
and agreed-upon, which is not the case with pgp. When someone
signs someone else's pgp key you really don't know why, what the
relationship is, what they thought they were attesting to, etc.
If you think CA assertions are any better, then I beg to differ. Just for fun:
http://www.winrumors.com/microsoft-warns-of-fake-ssl-certificates-issued-for-gmail-yahoo-skype-and-others/
Scott K