[H-GEN] https + apache
Russell Stuart
russell at stuart.wattle.id.au
Mon Jul 21 18:42:22 EDT 2003
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
On Mon, 2003-07-21 at 20:00, Christopher Biggs wrote:
> Interesting idea. Of course, you're then left with the problem of how
> to do you tell the difference a valid signature from the
> "ComWestNatPacwealthNZional Banking Corporation" and a forged one;
> you're back to square one...
Well, yes, your are right - a fatal flaw, and that is why I don't design
crypto systems I guess. What I was trying to do was show that a system
that mirrors the the trust model we humans have built up over thousands
of years is much better than trying to replace it with a simple
hierarchal one. Now you have forced me to think about it further, it
not immediately obvious how you would put something like that in place.
I thought it was like the PGP web of trust, but perhaps that was a
mirage. I suspect you have just forced me to acknowledge a point you
made earlier.
> I still don't think it's as bad you picture it, however. You're still
> not separating the issues of "am I really talking to FooBarSoft Inc."
> and "how do I decide if I trust FooBarSoft". SSL was never intended
> to address the second issue.
I hope I have the distinction right. My problem is that SSL is very
poor at addressing the first issue. At least that is my current belief,
and I don't recall anybody in this current thread offering an argument
to the contrary.
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list