[Psi-devel] OT: CACert included in Kubuntu?

[textshell-I1QKlO@neutronstar.dyndns.org]

On Thu, Nov 30, 2006 at 02:45:19PM -0800, Justin Karneges wrote:
> On Thursday 30 November 2006 1:11 pm, Trejkaz wrote:
> 
> So yeah, GPG is a perfectly fair way to do secure package downloading.  The 
> other way would be to use X.509 without the official root CAs.  I would 
> recommend either of these approaches in any situation where all parties 
> involved are "known", not just for package management.
> 
> For example, we might consider bundling a public key inside of Psi, for 
> verifying things like updates (or anything the client might auto-download 
> from psi-im.org, such as iconsets...   thinking far into the future 
> here :) ).  This key would not need a root CA signature, since the security 
> domain is closed and specific.  It is only when you need communication with 
> unknown entities that the root CA system becomes truly useful.

Yes, all autodownloads should be digitally signed.

> 
> > It would be nice if there were proof of trust of the root CAs' keys.
> 
> There is.  The fact that your browser/OS has them installed.
> 
> > For instance, if my bank actually signed their key, I might believe that
> > they trust it.  At the current point in time I have to assume that they're
> > in the same situation as myself -- skeptical but with little choice but to
> > trust it.
> 
> The bank certifies Verisign?  I don't get what you're suggesting here.
> 

I think it's about the bank using some own key to sign there TLS
certificates. I think the bank is much more trustable than some generic CA.
Or maybe some CA that specializes in banks.

I think the german HBCI homebanking standard does something like that...
But well it uses a smartcard anyway and client software. I wouldn't trust a
java applet running in a browser all just secured with a lots of duct tape
and public CA based TLS... 

 - Martin H.