

Publishing PGP Keys in the DNS - mike-cardwell
https://secure.grepular.com/Publishing_PGP_Keys_in_the_DNS

======
protomyth
Got to love a site about encryption keys that shows invalid certificate in the
a browser.

~~~
mike-cardwell
Somebody makes this incorrect statement every time I post something. Read
this:

[https://secure.grepular.com/Why_Does_this_Website_Generate_S...](https://secure.grepular.com/Why_Does_this_Website_Generate_SSL_Warnings)

~~~
wizardishungry
Wouldn't installing some arbitrary CA's root certificate open me to someone
attacking me with say… a Paypal cert signed by them?

~~~
mike-cardwell
That's how the CA system works. It's up to you whether or not you wish to
trust cacert. They've been around for quite a while though, and quite a few
systems have their root included, eg Debian, OpenBSD, Gentoo, Centos. See:

<http://wiki.cacert.org/InclusionStatus>

It's just not included in the major browsers atm.

~~~
protomyth
"It's just not included in the major browsers atm"

Thus my statement which was factual and not incorrect. If the browser vendors
don't vet the certificate authority then most people will get the warning.

~~~
mike-cardwell
Ok, I'll take your word for it that your browser said the certificate was
"invalid" then. An inacurate choice of wording on your browsers part.

So what was the point of your comment? It sounded to me like you were
suggesting that people shouldn't post articles about encryption, when their
website uses certificates that your browser doesn't automatically assign trust
to?

~~~
protomyth
Well, it seems like having a certificate from a CA not in most people's
browsers, each of these methods described in the original article
<http://www.gushi.org/make-dns-cert/HOWTO.html> require work from the user and
aren't supported out of the box.

