Submission + - Why Not Replace SSL Certificates With PGP Keys? 9
vik writes: The whole SSL process has been infiltrated by the NSA, GCSB and other n'er-do-wells. If governments want a man-in-the-middle certificate they simply issue a secret gagging order to the CA to make them issue one. Consequently "certified" SSL certificates can no longer be trusted. Ironically self-issued certificates are more secure, but not easily verified.
However, PGP/GPG keys can be trusted and independently verified. They are as secure as we can get for now. Why not replace the broken SSL CA system with GPG/PGP encryption keys? Make the NSA-infiltrated stuff obsolete, and rely on a real-world web of trust?
However, PGP/GPG keys can be trusted and independently verified. They are as secure as we can get for now. Why not replace the broken SSL CA system with GPG/PGP encryption keys? Make the NSA-infiltrated stuff obsolete, and rely on a real-world web of trust?
Because sabotage (Score:2)
Re: (Score:2)
IPSEC packet handling is separate from the PGP algorithm. Because one application using PGP may have been sabotaged, this does not mean the entire PGP system is broken, or that using SSL is any safer. There is stil a strong case to replace SSL with PGP.
Re: (Score:2)
Any coordinated attempt to establish a secure industry standard which has no backdoors or intentional weaknesses will be subject to infiltration and sabotage efforts. It doesn't matter what technology is involved.
That's not to say it's impossible in the future, but it does explain why it hasn't been done yet.r
Re: (Score:1)
Re: (Score:2)
Convergence is no longer in active development, and TACK uses elliptic curve keys, which are suspect.
Thanks for the heads up ! (Score:1)
Convergence is no longer in active development, and TACK uses elliptic curve keys, which are suspect.
Many thanks for the heads up !
The development for Convergence has stopped since 2011, and TACK ain't as secured as it should be.
"Independently verified" ... How? (Score:2)
This idea relies on the assumption that:
But this is in no way guaranteed. How would you independently verify a PGP key? What additional level of guarantee do you have using PGP which you don't have by using a certificate?
The underlying infrastructure behind SSL keys and PGP keys are the same: you have a small collection of trusted, independently verified entities, who then verify and mark keys for the people they verify. As long as you can find a sequence (a "certificate chain", or "Web of Trust") of verif
sounds good. Get it done folks. (Score:1)