Date: Fri, 10 Oct 2014 12:01:52 -0400 From: David Leon Gil <coruus@...il.com> To: Daniel Kahn Gillmor <dkg@...thhorseman.net>, kristian.fiskerstrand@...ptuouscapital.com Cc: oss-security@...ts.openwall.com, "gnupg-devel@...pg.org" <gnupg-devel@...pg.org>, Werner Koch <wk@...pg.org>, thijs@...ian.org Subject: Re: 0xdeadbeef comes of age: making keysteak with GnuPG On Fri, Oct 10, 2014 at 11:47 AM, Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote: > If we're going to advocate for accessing keyservers via https (which i > think is a lovely idea, even if it doesn't mitigate all possible > attacks), it's worth advocating for the well-curated > hkps.pool.sks-keyservers.net , rather than encouraging everyone to > flood either https://keybase.io or https://pgp.mit.edu with traffic. My problem with the HKPS pool is that I don't know Kristian. And I don't have any reason to believe that he'd suffer serious financial damage if the private key for the "sks-keyservers.net CA" got used maliciously. (While I know that if a root CA were caught intentionally issuing an MitM cert for keybase.io or pgp.mit.edu would face likely delisting/bankruptcy.) I'd be really happy if Kristian published a GPG-signed log of every valid certificate for servers in the HKPS pool; then it would be possible for the distrustful -- or targeted -- to, say, query multiple HKPS keyservers. This is even better than trusting Root CAs + Kristian.)  Most hkps.pool.sks-keyservers.net don't have an alternative trust path to a standard root CA.  This is different from saying that I think he *would intentionally* sign a malicious cert, which I don't. I just have no idea how secure the private key for that CA is. And I know that a fully isolated, physically secure facility, and a good HSM are really expensive. (But maybe he is doing this?)  If this is already available somewhere, apologies; I haven't managed to find anything like it.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.