Bugtraq mailing list archives
Re: GnuPG weak as one guy with a spare laptop.
From: <obnoxious () hush com>
Date: Wed, 15 Mar 2006 16:00:33 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What is your point exactly? How secure are Verisign, Thawte or anyone elses servers outside of them just stating "We take X Precautions". Look at just about all of the top companies, Microsoft, Sun, Yahoo, Citibank. They've all been hit at some point because "X" wasn't secure. Right now I could register at Comodogroup.com for a free signing cert for email. It means nothing. Servers storing keys mean little since there is no authority body to verify the validity of a security claim. So your point is moot. http://www.schneier.com/paper-pki-ft.txt On Tue, 14 Mar 2006 12:50:54 -0500 "Forrest J. Cavalier III" <mibsoft () mibsoftware com> wrote:
"A chain is only as strong as its weakest link." When I get the GnuPG distribution from the non-secure http://gnupg.org (or a https://gnupg.org with a CAcert.org certificate) I get a distribution signed by Werner Koch's key issued one day after the previous signing key expired 2006-01-01. The previous expired GnuPG signing key has 160 signatures on the MIT keyserver. The new key is signed by Werner Koch's own certification key, and that's it. How secure is that certification key? When I finger wk () g10code com (another insecure protocol) I get a keyblock. Above the keyblock is some text which includes this sentence: "The primary key is stored at a more or less secure place and only used on a spare laptop which is not connected to any network." Can anyone estimate the incredible value of the communications and
storage relying on software signed by that one guy with a "spare laptop in
a more or less secure place"? One human being, vulnerable, fallible. Can he be bought, blackmailed, coerced? Hit by a bus? Can this situation be improved? I say yes. Maybe your company has never funded volunteer developers. Maybe you asked, and found you don't do "donations." Maybe you are just a single- person consulting business. Before last year, I had never paid anyone for all this great free beer. But last year I landed a contract that included the need to do secure code distribution automatically. I could never have done it without calling OpenSSL libraries. So, I used paypal to pay one of the lead developers of
OpenSSL to do a code review. We easily settled on a contract amount that gave me a great code review. It was well worth it. Fully tax deductible for me as a business expense. But the community got something too. As mutually agreed ahead of time, the developer got paid more than
his straight regular consulting rate. Now he could have kept that as a fat contract, and moved on. But from his perspective, he covered his costs, and then looked at the "extra" as compensation for general OpenSSL improvements to benefit the whole community. This may be a way you can convince your company to fund volunteer developers too. If a couple of users a week did that, wouldn't Werner Koch and colleagues put some effort towards making stronger weakest links? Wouldn't all of us benefit? Now back to this weakest link. Does Werner Koch and colleagues have a Paypal account or other verified way of receiving electronic payments easily?
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkQYgEkACgkQo8cxM8/cskpuoQCfeOoTBVkLLypT/cy+Pp34Zv/pTzQA oISNgTkqxWmIonkVfjIrkvkHI7An =j6Gj -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485
Current thread:
- GnuPG weak as one guy with a spare laptop. Forrest J. Cavalier III (Mar 15)
- <Possible follow-ups>
- Re: GnuPG weak as one guy with a spare laptop. obnoxious (Mar 17)
- Re: GnuPG weak as one guy with a spare laptop. Forrest J. Cavalier III (Mar 17)