openPGP vs x509

Wed Apr 7 10:48:06 CEST 2004

i would argue that it's less efficient, largely because there's a single
point of failure (the CA).

> I have no idea how this should work with pgp-keys in reality.
========================

here's how i picture it:

let's say you connect to https://my-server.com and that certificate is
signed with my PGP key. if you have my key "installed" in your browser,
and marked as "trusted", then you get a secure connection. otherwise, you
get a pop-up box asking you if you'd like to accept, examine or discard
the certificate.

> To encrypt a connection normaly the opponents publickey is used
> to encrypt and the secretkey is used to decrypt. This means, that a
> server have to know all public keys of clients connecting to it. A
> handshake between the server an client maybe solve this prob.
=======================

my understanding of SSL/TLS is that the client can authenticate the
server, but the server has no way to authenticate the client (via
SSL/TLS).

in practice, i connect to https://paypal.com and i want to be VERY sure
that i'm connecting to the correct server. the server has no need to
authenticate that the key on my end ~really~ belongs to me... that's what
my login credentials (username/password) are for.

        ...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

	"You have just dined, and however scrupulously
	 the slaughterhouse is concealed in the graceful
	 distance of miles, there is complicity."
		-- Ralph Waldo Emerson, 1870
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -  http://atom.smasher.org/links/#digital_signatures

iD8DBQFAc7/mnCgLvz19QeMRAonWAJ9N4+YlIfrmw5NHBoCpzjOmjrmMUwCdFEqp
3YD9lG8pmvXsZNw9XAbVRmY=
=Ky8C
-----END PGP SIGNATURE-----