multiple subkeys and key transition

MFPA expires2010 at ymail.com
Sun Dec 12 04:28:21 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 12 December 2010 at 2:15:50 AM, in
<mid:4D043056.40600 at sixdemonbag.org>, Robert J. Hansen wrote:


> On 12/11/2010 6:22 PM, MFPA wrote:
>> A question on the subject of SSL/TLS certificates and HTTPS: often
>> there is no user requirement to "authenticate" the identity of the
>> server, but rather a simple requirement to prevent snooping; why does
>> this need a certificate?

> Otherwise the snooper could just use a MitM and you'd
> be none the wiser.

I'd be no worse off than if the connection had just been plain vanilla
http.



> When you visit Amazon.com, both you and Amazon need
> some way to ensure you're talking to the real McCoy.
> Amazon authenticates you by having you provide a
> username and password.

In the instance that I'm only browsing around on Amazon and not
actually ordering any books at the moment, I would not sign up and
create a username/password. But I might not wish for my ISP to log all
the books I looked at in case the government wanted to know...



> You authenticate Amazon by
> checking their SSL cert and seeing that it was issued
> by a trusted authority.

Or do I just notice the padlock icon and the yellow addressbar
indicating an encrypted connection?



> If you didn't check the SSL cert, I could provide a
> self-signed SSL cert, have you accept it, and then do a
> MitM on your connection.

Since my browser would display a warning about untrusted certificates,
I'd be likely to notice that.

If you provided a cert signed by a CA that my browser trusts, and that
matched your server details so no warning was displayed, I probably
wouldn't notice. (Of course, there are browser add-ons to detect
changes of certificate on previously-visited sites...)



>  Next thing you know, you've
> paid for all my Christmas shopping...

To me, the page where payment details are entered does not look much
like an example of "no user requirement to authenticate the identity
of the server, but rather a simple requirement to prevent snooping."




- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

Success isn't how far you got, but the distance you travelled from where you started
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTQRBXqipC46tDG5pAQq/UgP+Mq8u/+5KCco37haU1/S8tAF8U2lMr3RK
Rr9fFBwew8FiPYbkVydKa0DE3lWDGGQjCzGlGWVfArg/Xibr6qKQxVFwI+EF9f2T
9s4dl4mR1ecIQHb5WxHjncQRENGZE/76ai55tDPz9mMryu2CuCW+OtoY2QmOYHDo
7lq5a56bNGI=
=F+JO
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list