https - hopefully not too stupid a question

Tony Naggs tony.naggs at
Sun Jun 17 14:04:53 BST 2012

On 17 June 2012 09:48, Roger Hayter <roger at> wrote:

> Another naive question I am afraid:  If an organisation published a
> suitable key in the newspapers and the organisation itself avoided legal or
> illegal state penetration of its private information, would that enable
> individuals to set up secure two way communication with said organisation
> regardless of any MITM?

As I understand it, for secure web browsing (https) the answer is no that
is not going to help at the moment.

The underlying Secure Socket Layer (SSL / TLS) software decides to trust
the certificate it receives over the internet from Google, Facebook, etc
because it is signed with a key it can trace (through a valid chain of
signed keys) back to a certificate authority it knows about. Your PC has a
certificate store with public root certificates from 10s or 100s of such
authorities. SSL will trust the certificate if it is traceable back to
*any* one of those authorities.

There is no interface to say "for * trust only this certificate
I received in from some trusted means".

For encrypted email then PGP's web of trust model gives you direct control
of which enryption keys you trust, and which key to use for particular

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the ukcrypto mailing list