Why Not Replace SSL Certificates With PGP Keys? - Slashdot

Please create an account to participate in the Slashdot moderation system

Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - Why Not Replace SSL Certificates With PGP Keys? 9

Submitted by vik on Saturday September 07, 2013 @08:40PM

vik writes: The whole SSL process has been infiltrated by the NSA, GCSB and other n'er-do-wells. If governments want a man-in-the-middle certificate they simply issue a secret gagging order to the CA to make them issue one. Consequently "certified" SSL certificates can no longer be trusted. Ironically self-issued certificates are more secure, but not easily verified.

However, PGP/GPG keys can be trusted and independently verified. They are as secure as we can get for now. Why not replace the broken SSL CA system with GPG/PGP encryption keys? Make the NSA-infiltrated stuff obsolete, and rely on a real-world web of trust?

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Why Not Replace SSL Certificates With PGP Keys?

Load All Comments

Search 9 Comments Log In/Create an Account

Comments Filter:

Because sabotage (Score:2)

by Wonko the Sane ( 25252 ) * writes:

http://linux.slashdot.org/story/13/09/07/195241/john-gilmore-analyzes-nsa-obstruction-of-crypto-in-ipsec [slashdot.org]
- Re: (Score:2)
  
  by vik ( 17857 ) writes:
  
  IPSEC packet handling is separate from the PGP algorithm. Because one application using PGP may have been sabotaged, this does not mean the entire PGP system is broken, or that using SSL is any safer. There is stil a strong case to replace SSL with PGP.
  - Re: (Score:2)
    
    by Wonko the Sane ( 25252 ) * writes:
    
    You're missing the point.
    
    Any coordinated attempt to establish a secure industry standard which has no backdoors or intentional weaknesses will be subject to infiltration and sabotage efforts. It doesn't matter what technology is involved.
    
    That's not to say it's impossible in the future, but it does explain why it hasn't been done yet.r />
    - Re: (Score:1)
      
      by darue ( 2699381 ) writes:
      
      probably true
- Re: (Score:2)
  
  by vik ( 17857 ) writes:
  
  Convergence is no longer in active development, and TACK uses elliptic curve keys, which are suspect.
  - Thanks for the heads up ! (Score:1)
    
    by Taco Cowboy ( 5327 ) writes:
    
    Convergence is no longer in active development, and TACK uses elliptic curve keys, which are suspect.
    
    Many thanks for the heads up !
    The development for Convergence has stopped since 2011, and TACK ain't as secured as it should be.
"Independently verified" ... How? (Score:2)

by stoborrobots ( 577882 ) writes:

This idea relies on the assumption that:
... PGP/GPG keys can be trusted and independently verified...
But this is in no way guaranteed. How would you independently verify a PGP key? What additional level of guarantee do you have using PGP which you don't have by using a certificate?
The underlying infrastructure behind SSL keys and PGP keys are the same: you have a small collection of trusted, independently verified entities, who then verify and mark keys for the people they verify. As long as you can find a sequence (a "certificate chain", or "Web of Trust") of verif
sounds good. Get it done folks. (Score:1)

by darue ( 2699381 ) writes:

wouldn't someone have to host a repository of public keys (for use in authenticating?)

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

We can found no scientific discipline, nor a healthy profession on the technical mistakes of the Department of Defense and IBM. -- Edsger Dijkstra