[159248] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Jan 2 15:24:31 2013
In-Reply-To: <CAP-guGXmjuTG+e3n2D5SWexiYUGfGrTN1myOR4THDQMJJwavOA@mail.gmail.com>
Date: Wed, 2 Jan 2013 15:24:03 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: William Herrin <bill@herrin.us>
Cc: John Levine <johnl@iecc.com>, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 2, 2013 at 2:36 PM, William Herrin <bill@herrin.us> wrote:
> On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow
> <morrowc.lists@gmail.com> wrote:
>> goodness-scale (goodness to the left)
>> signed > self-signed > unsigned
>
> Hi Chris,
>
> Self-signed and unsigned are identical. The "goodness" scale is:
>
> Encrypted & Verified (signed) > Encrypted Unsigned (or self-signed,
> same difference) > Unencrypted but physically protected > Unprotected
>
>> I don't think there's much disagreement about that... the sticky
>> wicket though is 'how much better is 'signed' vs 'self-signed' ? and I
>> think the feeling is that:
>
> I don't see how "feeling" plays into it.
>
> Communications using an unverified public key are trivially vulnerable
> to a man-in-the-middle attack where the connection is decrypted,
> captured in its unencrypted form and then undetectably re-encrypted
> with a different key. Communications using a key signed by a trusted
> third party suffer such attacks only with extraordinary difficulty on
> the part of the attacker. It's purely a technical matter.
>
> The information you're trying to protect is either sensitive enough
> that this risk is unacceptable or it isn't. That's purely a question
> for the information owner. No one else's opinion matters for squat.
I think we're talking past eachother :(
I also think we're mostly saying the same thing...
I think though that the 'a question for the information owner' is
great, except that I doubt most of them are equipped with enough
information to make the judgement themselves.
-chris
