[cryptography] Gmail and SSL

Uncle Zzzen unclezzzen at gmail.com
Tue Dec 18 01:17:21 EST 2012


I don't understand much about CAs, but I know what paypal does: you paste
your public key (while being logged in via ssl, of course) and THEY sign it
for you.
They also show you a "key id" string (don't remember exact name) that you
should include inside the encrypted request (probably against a case where
the key gets compromised, but not the app's config). The user/password auth
pop3 has seems equivalent to that (at least to me).

PR-wise (e.g. if there's a petition), maybe it's easier to explain this to
laypeople (like me) along the lines of:
"we want google to do what paypal does, but google says:
privacy-via-bureaucracy or no privacy at all"
and only in the fine-print dive into the way CAs work.

Just a thought.


On Tue, Dec 18, 2012 at 8:18 AM, James A. Donald <jamesd at echeque.com> wrote:

>  On 2012-12-18 1:25 AM, CodesInChaos wrote:
>
> One could require the user to specify/confirm a certificate fingerprint on
> gmail in such a case. That way you're MitM proof, even with a self signed
> certificate.
>
>
> Who is the real you?  Well, obviously the you that knows the gmail
> password.
>
> Therefore, password should no be communicated in the clear.  Gmail should
> not care whether you have a validly signed certificate, but you should care
> whether gmail has a validly signed certificate, and that it has the usual
> signature.
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20121218/a5454e82/attachment.html>


More information about the cryptography mailing list