[cryptography] [Cryptography] Why aren’t we using SSH for everything?

John Levine johnl at iecc.com
Sun Jan 4 18:38:16 EST 2015


>>> gpg signed attestations, e.g. see up front of my site, https://psg.com
>>
>> Not sure if that helps at all - the CA is an invalid certificate and would
>> be expired even if the validity dates were correct. That doesn't indicate
>> proper cert handling...
>>
>
>And if it was SSH, how would we ever truly verify that public key.

I'm not Randy, and I rarely look at SSH keys, but I do note that the
bogus CA doesn't matter, since the file you download contains a PGP
signature you can verify.  Well, you can if you believe that the key
with ID EA37E360 belongs to Randy.  Perhaps I'll ask him when I see
him in Dallas.

R's,
John


More information about the cryptography mailing list