[Ach] StartSSL for Business Sysadmins
iang at iang.org
Tue Jan 14 12:10:04 CET 2014
On 14/01/14 13:53 PM, Tobias Dussa (SCC) wrote:
> On Tue, Jan 14, 2014 at 11:42:51AM +0100, Axel Hübl wrote:
>>> Note that the PGP trust model is much worse in that respect; there
>>> is nothing at all to help you decide on whether to bestow trust on
>>> a given signature at all.
>> Well, I guess a web-of-trust counts.
>> It helps me a lot if I guy I trust trusted a particular key by signing it.
> Exactly, that is my point. YOU have decided to trust this particular guy. It
> is YOUR problem to establish that he only signs key that are trustworthy (for
> whatever definition). There is nothing wrong with that at all, don't
> misunderstand me (I do use PGP and do attend keysigning parties all the time
> ;-)). The web of trust goes a long way, but it does not address every problem
> and comes at a cost, too.
> CAs, on the other hand, do provide CP/CPS, so you have at least some indication
> of what is going on.
Has granny read the CP/CPS?
> You still have to decide whether
Exactly. Everyone on the planet has to review the situation and decide
This is a fallacy. It is to model everyone as a lawyer.
Actually that's too kind. It's a fairy tale, and it should be preserved
for 4 year olds. To tell such a thing to adults is ... well, not smart.
> a) a given CA is
> trustworthy in the sense that they stick to their own CP/CPS and b) whether you
> think that their CP/CPS are sensible, but at least there are published CP/CPS
> (as opposed to "I know this guy and he seems to know what he is doing, so I
> trust his signatures," which essentially says nothing about what his or her
> signature actually implies).
So we've got a model that is widely ignored because it starts from an
impossible and insulting marketing claim, and we've got a model which
This is one of those battles where if you win, you lose.
More information about the Ach