Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


+ - Why Not Replace SSL Certificates With PGP Keys? 9

Submitted by vik
vik (17857) writes "The whole SSL process has been infiltrated by the NSA, GCSB and other n'er-do-wells. If governments want a man-in-the-middle certificate they simply issue a secret gagging order to the CA to make them issue one. Consequently "certified" SSL certificates can no longer be trusted. Ironically self-issued certificates are more secure, but not easily verified.

However, PGP/GPG keys can be trusted and independently verified. They are as secure as we can get for now. Why not replace the broken SSL CA system with GPG/PGP encryption keys? Make the NSA-infiltrated stuff obsolete, and rely on a real-world web of trust?"
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Why Not Replace SSL Certificates With PGP Keys?

Comments Filter:
    • by vik (17857)

      IPSEC packet handling is separate from the PGP algorithm. Because one application using PGP may have been sabotaged, this does not mean the entire PGP system is broken, or that using SSL is any safer. There is stil a strong case to replace SSL with PGP.

      • You're missing the point.

        Any coordinated attempt to establish a secure industry standard which has no backdoors or intentional weaknesses will be subject to infiltration and sabotage efforts. It doesn't matter what technology is involved.

        That's not to say it's impossible in the future, but it does explain why it hasn't been done yet.r />
  • This idea relies on the assumption that:

    ... PGP/GPG keys can be trusted and independently verified...

    But this is in no way guaranteed. How would you independently verify a PGP key? What additional level of guarantee do you have using PGP which you don't have by using a certificate?

    The underlying infrastructure behind SSL keys and PGP keys are the same: you have a small collection of trusted, independently verified entities, who then verify and mark keys for the people they verify. As long as you can find a sequence (a "certificate chain", or "Web of Trust") of verif

  • wouldn't someone have to host a repository of public keys (for use in authenticating?)

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."