[conspire] Offering GPG/PGP Workshop at CABAL
Rick Moen
rick at linuxmafia.com
Wed May 14 16:56:53 PDT 2008
Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):
> I was attempting to point out that your cert is already an example of a
> private, self-contained bottom-up web of trust, which is already
> bootstrapped within its realm.
You have missed the point: My https://linuxmafia.com/ SSL cert's intended
realm is incredibly tiny, and doesn't need bootstrapping. It is
specifically designed to be trusted only by me, a couple of shell users
who already have other means to verify its provenance, and anyone given
a copy directly in a fashion that credibly validates its origin.
In fact, I'd be astonished to hear that anyone but me had really ever
had reason to rely on it. I can think of exactly one Web service I use
where it has any point at all (which I'll not go into, here), and nobody
else uses that.
In any event, the only sorts of S/MIME certificates that are actually
any use in the real world are those attested to by paid notaries.[1]
Which is what makes that crypto regime, for real-world purposes, a
top-down PKI model, regardless of anything the CAcert.org Web site
claims.
Getting back to the point, that happens not to be what Mark's talk is
about. If you wish to give your _own_ talk about how well a "web of
trust" built around CAcert's squirrely "points" system and a root
certificate that's _not actually trusted by any commonly used software_,
feel free.
This is also a major part of why getting CAcert-related signing of
one's SSL cert is likewise far more trouble than it's worth: Its SSL
root certificate isn't included in commonly used Web browsers, either.
Now, honestly, didn't you _already_ know all that? If so, why did we
have to go through all this?
[1] Temporary exception: Last I checked, Thawte's S/MIME certs to
individuals were still being underwritten by Verisign, Inc., and made
available gratis to individuals -- for now -- as a promotional offering.
(They're thus still paid notaries, but the cost is picked up by the
corporate sponsor that is trying to build the market.)
More information about the conspire
mailing list