"Arnold G. Reinhold" wrote:
>
> I had some more thoughts on the question of Man in the Middle attacks
> on PGP. A lot has changed on the Internet since 1991 when PGP was
> first released. (That was the year when the World Wide Web was
> introduced as well.) Many of these changes significantly reduce the
> practicality of an MITM attack:
>
> 1. The widespread availability of SSL.
> SSL might be anathema to the PGP community since it depends on a CA
> model for trust distribution, but it has become ubiquitous and every
> personal computer sold these days includes an SSL enabled browsers
> and a set of certs. If Bob fears he is under MITM attack, he can use
> SSL to tunnel out. Several companies, such as hushmail.com, are
> already using SSL to offer secure e-mail services. These can be used
> directly by Bob to ask people at random to verify the version of
> Bob's public key at the various PGP key servers.
>
> An even better approach would be to use SSL to secure connections to
> PGP key servers in different parts of the world. This would force an
> MITM to subvert all the key servers as a minimum.
There's really nothing stopping an implementation of SSL that uses PGP
for key verification. All that's really required at the end of the day
is some ASCII (to check the server name) and a public key, verified
according to the requirements of the, err, verifier.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
Coming to ApacheCon Europe 2000? http://apachecon.com/
