Date: Sun, 22 Mar 2015 20:23:32 +0100 From: Stephen Kitt <steve@....org> To: oss-security@...ts.openwall.com Subject: Re: CVE for Kali Linux On Sun, 22 Mar 2015 14:33:01 -0400, Daniel Micay <danielmicay@...il.com> wrote: [...] > At best, GPG offered *zero value* compared to checking a hash provided > via HTTPS, grabbing a torrent file via HTTPS or downloading directly via > HTTPS. However, I think it's pretty clear that few users would have gone > through with this and all it did was maintain the same security offered > by the HTTPS PKI. [...] I don't have any objection to the rest of your argumentation, which seems sensible to me; at the very least it's clear that all this needs to be made much easier, and (proper) HTTPS use should be encouraged. But I do believe that *at best*, GPG offers something that HTTPS doesn't: signature validation with peer-to-peer trust via the web of trust. This is "at best" because most users don't have a key in the strong set; but at least for Debian, the archive keys are in the strong set, so any one else with a key in the strong set has at least one trust path to the archive key. Of course that doesn't really help with the MITM scenario, since end users would need to know that the archive key is supposed to be signed, and by whom... Regards, Stephen Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.