-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/01/2013 12:07 AM, Doug Barton wrote: > On 02/28/2013 09:33 AM, Kristian Fiskerstrand wrote: | for a > service that specifically targets the OpenPGP community, I | > consider using the OpenPGP WoT more appropriate than any CA | > Corporation. > > Kristian, > > I certainly understand that perspective, however I see a couple of > problems with it. First, there is a bootstrapping problem. People > new to PGP almost certainly do not possess the skills to verify > the signature file for the cert, even if they had an appropriate > web of trust to rely on (which obviously they would not). > > Second, not using a cert signed by a recognized CA presents 2 > problems, it increases the perception that the PGP community is a > closed circle, such that if you don't already have the skills, we > don't want to talk to you. For those new users that click through > it adds further damage to their security habits, since we try to > teach people NOT to do that, even though most people do it anyway.
Arguably the website doesn't provide information that strictly has to be protected by a HTTPS scheme. So to some extent this is avoided by such users using the HTTP website in the first place, and not necessarily contributing as much difficulties for bootstrapping new users. Another point is obviously that new users doesn't necessarily visit the website at all, but it is more for people with more special interests. > > In the previous era where free and/or low-cost SSL certs were not > available I would have had a lot more sympathy with your position. > However nowadays there are a non-zero number of good choices, > including https://www.startssl.com/ which offers free certs, and > has a good reputation in the community. I personally use them for > my sites, although I have no other affiliation other than "happy > 'customer.'" Ironically enough I have a stronger affiliation than that, myself, as I still have an active reseller agreement :) > > I hope you'll reconsider your decision. I certainly continuously consider constructive feedback on the setup, so will give it some more thought. The main issue I see is that when I experimented with this a while ago the two schemes were incompatible, i.e. I couldn't get monkeysphere to work with a CA signed X.509 certificate. For this to work I'll have to completely switch to the root CA approach, which I don't particularly trust, so I'd prefer to have a way to continue using the OpenPGP WoT. - -- - ---------------------------- Kristian Fiskerstrand Twitter: @krifisk - ---------------------------- Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Nil satis nisi optimum Nothing but the best is good enough -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.0-beta163 (GNU/Linux) iQIcBAEBCAAGBQJRMOAgAAoJEAt/i2Dj7frjm4gQAJLrBUs14yKrRhFOrcxT3X/+ XpDZAZx1/jBpLqrHZn9Jlum88JLT25jVPlVFcRekPrb+gR5VUnOWk3g5NSXg13+f fz+4dTsm0XIMmoWwOnIIIFAdu/03401FruZIZ5wy/hHJVXVDnSe0zTEh4boELcpo 0VUKSCe05csa36nQlM9wyIUr1/yIvljJVQhCadX4/fngOA0eNPifqMdTdRDz2eyW iA7mNEmfNUvp+D240rcI7XaTUUknt3StYZJUtYids0coPkHb6GAeqiOA2GU8s7pI 6EhCnetnRqTOhslgglyn3LwiMUBhMdDCuUejnzIJoVlmLOwaiBE8H1WM392t/YyP 0fVLxdbcbTD2e8KmdscEcW0LK9LrDUSKKxx6RVJqhn7GLOJy8J53dUiLRoOsCysK paxmvtv99wTGY5rsz3PPGez1bV0y6VSPjIOG3HIxVXeLwk4HxV94mP2DvM2JPFCS 0Mu45LtzHfZ5SviVjv3RC+gmTmRCShKgCTqaJSG8T1daI1WYiNPXsE+2FP700odv RzlQTCh5zMs/FwsxVgSI2AITRRfYuXYKC+yAdUvSZZveGF/JifRAtSuyT5si1FTy I+fEYLrO42t19sEAK2W3l/fFbQvcJLLZ2VCf1hi0Zz5xbi1iU2VLkw+A6nWxLheQ BvUR2divq8Ar0LH19ypn =8nU1 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
