Relevance of PGP?
Richard Pieri
richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Jun 10 12:50:38 EDT 2011
On Jun 10, 2011, at 9:34 AM, Bill Ricker wrote:
>
> On Fri, Jun 10, 2011 at 8:12 AM, Edward Ned Harvey <blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org> wrote:
>> Go get a free > certificate from
>
> a signature with a free CA cert deserves no trust - it verifies the
> email address was the email address on a certain date only.
Which for all useful purposes is useless. This is only one step removed from the bogus certificates for Google and Amazon that were cut a few months ago. These demonstrate the fundamental flaw in concept of certificate authorities, a flaw that we've known about for at least two decades. Specifically: there is no mechanism to verify the CAs themselves. There is no way to detect that a CA has been subverted or compromised.
PGP was written not to use CAs specifically for this reason. This makes PGP a little more cumbersome to use, but makes it impervious to S/MIME's most egregious flaw.
--Rich P.
More information about the Discuss
mailing list