Read Bruce Schneier's Applied Cryptography was Re: One more time, SSL vs GPG

John Meacham john at
Thu May 19 22:22:52 EDT 2005

On Thu, May 19, 2005 at 12:27:51PM -0400, S. Alexander Jacobson wrote:
> I've read the book.  I understand crypto well enough.  Perhaps you 
> could answer a simple question:
>   If I query Hackage for a package URL, what assurance do I have that
>   the URL I receive is actually correct?
> Note, I am NOT asking how you authenticate the content retrieved from 
> that URL.  I am asking how you know the URL itself is correct?

Because if the URL is not correct, then the content will not
authenticate. I am not sure how else to put it since that is what is
important, that you get the package you are asking for. Note that this
does not require you trust the hackage server at all, all security is
end-to-end as it should be. There is no need to trust any link in the
chain. hackage is meerly a way to match providers of packages to
consumers of them.

So, A better question is, if the content authenticates, does it matter
whether the URL was correct? At worst it means somone is
clandestinly mirroring your content, which doesn't seem that bad :)

SSL authenticates the server and secures data on the wire against
tampering. However, we want to authenticate the _author_ of packages,
not the hackage server and securing data on the wire is a non-issue
since all data is gpg signed. The hackage server is not special, the
authors are the primaries and the hackage sever is just a convienient
meeting place and an ad hoc (but not special or mandatory) namespace
management center for packages. 

There is a place for SSL, and that is if hackage allows any sort of
password based modification of content via web forms. But for the basic
functionality of storing and serving packages, it is not needed.


John Meacham - ⑆⑆john⑈ 

More information about the Libraries mailing list