Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Submission + - Why Not Replace SSL Certificates With PGP Keys? 9

vik writes: The whole SSL process has been infiltrated by the NSA, GCSB and other n'er-do-wells. If governments want a man-in-the-middle certificate they simply issue a secret gagging order to the CA to make them issue one. Consequently "certified" SSL certificates can no longer be trusted. Ironically self-issued certificates are more secure, but not easily verified.

However, PGP/GPG keys can be trusted and independently verified. They are as secure as we can get for now. Why not replace the broken SSL CA system with GPG/PGP encryption keys? Make the NSA-infiltrated stuff obsolete, and rely on a real-world web of trust?
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Why Not Replace SSL Certificates With PGP Keys?

Comments Filter:
    • by vik ( 17857 )

      IPSEC packet handling is separate from the PGP algorithm. Because one application using PGP may have been sabotaged, this does not mean the entire PGP system is broken, or that using SSL is any safer. There is stil a strong case to replace SSL with PGP.

      • You're missing the point.

        Any coordinated attempt to establish a secure industry standard which has no backdoors or intentional weaknesses will be subject to infiltration and sabotage efforts. It doesn't matter what technology is involved.

        That's not to say it's impossible in the future, but it does explain why it hasn't been done yet.r />
  • This idea relies on the assumption that:

    ... PGP/GPG keys can be trusted and independently verified...

    But this is in no way guaranteed. How would you independently verify a PGP key? What additional level of guarantee do you have using PGP which you don't have by using a certificate?

    The underlying infrastructure behind SSL keys and PGP keys are the same: you have a small collection of trusted, independently verified entities, who then verify and mark keys for the people they verify. As long as you can find a sequence (a "certificate chain", or "Web of Trust") of verif

  • wouldn't someone have to host a repository of public keys (for use in authenticating?)

Mathematicians stand on each other's shoulders. -- Gauss