[Discuss] Relevance of PGP?
Richard Pieri
richard.pieri at gmail.com
Thu Jun 23 15:13:19 EDT 2011
On Jun 10, 2011, at 8:12 AM, Edward Ned Harvey wrote:
>
> I am very surprised to hear people using the term "PGP" as if it were
> synonymous with "Email signing/encryption." As far as I'm concerned, S/MIME
> has already won the war on email signing/encryption. Go get a free
> certificate from startssl.com, and voila.
For those a bit slower than I on the slashdot feed:
http://news.netcraft.com/archives/2011/06/22/startssl-suspends-services-after-security-breach.html
https://www.startssl.com/
The text:
> Maintenance
>
> Due to an attack on our systems and a security breach that occurred at the 15th of June, issuance of digital certificates and related services have been temporarily suspended as a defensive measure. Our services will be gradually reinstated as the situation allows.
>
> Subscribers and holders of valid certificates are not affected in any form.
>
> Visitors to web sites and other parties relying on valid certificates are not affected.
>
> We apologize for the temporary inconvenience and thank you for your understanding.
Little useful information there. Nothing there to indicate what constitutes an *in*valid certificate. The front page was updated on 21 June, nearly a week after the attack. That's a week's worth of possibly compromised certificates.
Regardless, this is just another example of the biggest flaw in SSL and S/MIME, that they are only as good as the certificate authorities.
--Rich P.
More information about the Discuss
mailing list