Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150322202332.5bfd0e4a@heffalump.sk2.org>
Date: Sun, 22 Mar 2015 20:23:32 +0100
From: Stephen Kitt <steve@....org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE for Kali Linux

On Sun, 22 Mar 2015 14:33:01 -0400, Daniel Micay <danielmicay@...il.com>
wrote:
[...]
> At best, GPG offered *zero value* compared to checking a hash provided
> via HTTPS, grabbing a torrent file via HTTPS or downloading directly via
> HTTPS. However, I think it's pretty clear that few users would have gone
> through with this and all it did was maintain the same security offered
> by the HTTPS PKI.
[...]

I don't have any objection to the rest of your argumentation, which seems
sensible to me; at the very least it's clear that all this needs to be made
much easier, and (proper) HTTPS use should be encouraged.

But I do believe that *at best*, GPG offers something that HTTPS doesn't:
signature validation with peer-to-peer trust via the web of trust. This is
"at best" because most users don't have a key in the strong set; but at least
for Debian, the archive keys are in the strong set, so any one else with a
key in the strong set has at least one trust path to the archive key.

Of course that doesn't really help with the MITM scenario, since end users
would need to know that the archive key is supposed to be signed, and by
whom...

Regards,

Stephen

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.