Re: Short GPG HOWTO and Re: hackage, cabal-get, and security

17 May 2005

...
Presumably for SSL you either need to:
- Buy an expensive certificate from a known CA (maybe there are free /
 cheap ones?)
InstantSSL sells certs for $50/year.  You may be able to find it even 
cheaper elsewhere.
...
- Trust any old certificate that comes along
You can also trust a finite set of certificates that you have 
personally verified (just like personally verifying GPG keys).
...
- Build a web of trust for signing certificates, just the same as for
 gpg.  Is there a way to do this?  GPG has built-in ways to do this,
 does SSL?
Yes.  Most SSL installations have ways of adding root certs, certs for 
entities that you trust to sign other certs. e.g. we can make 
haskell.org a root cert.

Look, cryptographically GPG and SSL are very similar.  With either 
one, if you trust long chains of signings, you are at risk that any 
intervening key has been compromised.  So, in practice, you rely on a 
set of root certs/signers you trust to
  * put some effort into verifying the mapping from a key to an identity,
  * maintain their private keys sufficiently securely that you can
    trust it for long periods of time, and
  * notify you when keys they have signed have been compromised.

Whether you use GPG or SSL, operation of this key certification and 
revocation service has real costs.  We can choose an identity model 
for the Haskell community that reduced these costs, but that is 
orthogonal to whether we use SSL or GPG.

The real differentiator between SSL and GPG is that the former is 
transport level while the later is file level.  With SSL, I think you 
suffer additional complexity each time you set up a web server.  With 
GPG, you suffer additional complexity each time you create a new file 
to share.  I think most people create many more files to share than 
they set up web servers to serve them so I prefer the SSL model.

-Alex-

______________________________________________________________
S. Alexander Jacobson tel:917-770-6565 http://alexjacobson.com

On Tue, 17 May 2005, Isaac Jones wrote:
...
Shae Matijs Erisson  writes:
...
Isaac Jones  writes:
...
How does one generate a signed SSL certificate?  It's very costly, isn't it?
It's free to generate a self-signed certificate, but that doesn't help much.
As you suggest later in this email, there could be a CA on haskell.org.
But how do you configure your browser / client to trust that
certificate?  I guess in web browsers it usually tells you that it's
signed by an unknown CA, do you want to trust it, then you can click
through.
Presumably for SSL you either need to:
- Buy an expensive certificate from a known CA (maybe there are free /
 cheap ones?)
- Trust any old certificate that comes along
- Build a web of trust for signing certificates, just the same as for
 gpg.  Is there a way to do this?  GPG has built-in ways to do this,
 does SSL?
Thanks for the GPG HOWTO!
peace,
isaac
_______________________________________________
Libraries mailing list
Libraries@haskell.org
http://www.haskell.org/mailman/listinfo/libraries