[2844] in WWW Security List Archive
RE: SSL and certificates
daemon@ATHENA.MIT.EDU (Michael Brennen)
Thu Aug 29 13:40:13 1996
Date: Thu, 29 Aug 1996 10:26:47 -0500 (CDT)
From: Michael Brennen <mbrennen@fni.com>
To: Jon Tegethoff <jet@cypher-sage.com>
cc: "'Www-Security@ns2.rutgers.edu'" <Www-Security@ns2.rutgers.edu>
In-Reply-To: <01BB9588.4DB7C280@jon.cypher-sage.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 29 Aug 1996, Jon Tegethoff wrote:
> On Wed, 28 Aug 1996, Michael Brennen wrote:
>
> >One major reason for using PGP is the simplicity of key management. In
> >DES or IDEA you need a secure channel to exchange keys. With PGP, key
> >management becomes much simpler.
>
> I believe that this is the major reason for not using PGP for this type
> of application. The trust model is not solid enough. Trusted CAs are
> required!
Overall I agree, and the CA infrastructure is being worked out.
However, I also think this depends on the immediate context. If I am
working closely with a specific client that I have developed a close
relationship with over time, I can trust their keys much more (I probably
walked them through the creation process). In a closely monitored process
that is intended to transfer specific information from one process to the
client then a specific set of keys can be generated to handle that one
transfer. Unless I don't trust the client, I don't think a CA is
necessarily required in such a context.
As in most secure contexts, it becomes a matter of risk assessment and a
careful examination of what I base my trust on.
-- Michael
