https - hopefully not too stupid a question
Tony Naggs
tony.naggs at googlemail.com
Sun Jun 17 14:04:53 BST 2012
On 17 June 2012 09:48, Roger Hayter <roger at hayter.org> wrote:
> Another naive question I am afraid: If an organisation published a
> suitable key in the newspapers and the organisation itself avoided legal or
> illegal state penetration of its private information, would that enable
> individuals to set up secure two way communication with said organisation
> regardless of any MITM?
>
As I understand it, for secure web browsing (https) the answer is no that
is not going to help at the moment.
The underlying Secure Socket Layer (SSL / TLS) software decides to trust
the certificate it receives over the internet from Google, Facebook, etc
because it is signed with a key it can trace (through a valid chain of
signed keys) back to a certificate authority it knows about. Your PC has a
certificate store with public root certificates from 10s or 100s of such
authorities. SSL will trust the certificate if it is traceable back to
*any* one of those authorities.
There is no interface to say "for *.google.com trust only this certificate
I received in from some trusted means".
For encrypted email then PGP's web of trust model gives you direct control
of which enryption keys you trust, and which key to use for particular
recipients.
Cheers,
Tony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20120617/d0fc03db/attachment-0001.html>
More information about the ukcrypto
mailing list