[cryptography] Gmail and SSL
unclezzzen at gmail.com
Tue Dec 18 01:17:21 EST 2012
I don't understand much about CAs, but I know what paypal does: you paste
your public key (while being logged in via ssl, of course) and THEY sign it
They also show you a "key id" string (don't remember exact name) that you
should include inside the encrypted request (probably against a case where
the key gets compromised, but not the app's config). The user/password auth
pop3 has seems equivalent to that (at least to me).
PR-wise (e.g. if there's a petition), maybe it's easier to explain this to
laypeople (like me) along the lines of:
"we want google to do what paypal does, but google says:
privacy-via-bureaucracy or no privacy at all"
and only in the fine-print dive into the way CAs work.
Just a thought.
On Tue, Dec 18, 2012 at 8:18 AM, James A. Donald <jamesd at echeque.com> wrote:
> On 2012-12-18 1:25 AM, CodesInChaos wrote:
> One could require the user to specify/confirm a certificate fingerprint on
> gmail in such a case. That way you're MitM proof, even with a self signed
> Who is the real you? Well, obviously the you that knows the gmail
> Therefore, password should no be communicated in the clear. Gmail should
> not care whether you have a validly signed certificate, but you should care
> whether gmail has a validly signed certificate, and that it has the usual
> cryptography mailing list
> cryptography at randombit.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography