[Ach] StartSSL for Business Sysadmins

ianG iang at iang.org
Tue Jan 14 12:10:04 CET 2014


On 14/01/14 13:53 PM, Tobias Dussa (SCC) wrote:
> Hi,
> 
> On Tue, Jan 14, 2014 at 11:42:51AM +0100, Axel Hübl wrote:
>>> Note that the PGP trust model is much worse in that respect; there
>>> is nothing at all to help you decide on whether to bestow trust on
>>> a given signature at all.
>> Well, I guess a web-of-trust counts.
>> It helps me a lot if I guy I trust trusted a particular key by signing it.
> 
> Exactly, that is my point.  YOU have decided to trust this particular guy.  It
> is YOUR problem to establish that he only signs key that are trustworthy (for
> whatever definition).  There is nothing wrong with that at all, don't
> misunderstand me (I do use PGP and do attend keysigning parties all the time
> ;-)).  The web of trust goes a long way, but it does not address every problem
> and comes at a cost, too.
> 
> CAs, on the other hand, do provide CP/CPS, so you have at least some indication
> of what is going on.


Has granny read the CP/CPS?


> You still have to decide whether


Exactly.  Everyone on the planet has to review the situation and decide
for themselves.

This is a fallacy.  It is to model everyone as a lawyer.

Actually that's too kind.  It's a fairy tale, and it should be preserved
for 4 year olds.  To tell such a thing to adults is ... well, not smart.


> a) a given CA is
> trustworthy in the sense that they stick to their own CP/CPS and b) whether you
> think that their CP/CPS are sensible, but at least there are published CP/CPS
> (as opposed to "I know this guy and he seems to know what he is doing, so I
> trust his signatures," which essentially says nothing about what his or her
> signature actually implies).


So we've got a model that is widely ignored because it starts from an
impossible and insulting marketing claim, and we've got a model which
says nothing.

This is one of those battles where if you win, you lose.


iang




More information about the Ach mailing list