Bingo

Posted Apr 3, 2011 18:29 UTC (Sun) by jthill (subscriber, #56558)
In reply to: Bingo by drag
Parent article: Laurie: Improving SSL certificate security

Actual security is provided through PGP encryption/signing of the files being transfered. The protocols used to transfer the files are not trusted.

Not to detract from your point, but I think it's worth highlighting that SSL itself is equivalent to PGP. Browsers use a precanned trustdb, but it's the quality of the trustdb the browser vendors deliver that's in question here. Any precanned PGP trustdb will be just as vulnerable, in exactly the same ways. Phil Zimmerman (et al.) was right, a WoT is the only acceptable substitute for personal verification. That's what Google is trying to implement, without making anybody admit it in so many words.