Re: GnuPG weak as one guy with a spare laptop.

[<obnoxious () hush com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is your point exactly? How secure are Verisign, Thawte or
anyone elses servers outside of them just stating "We take X
Precautions". Look at just about all of the top companies,
Microsoft, Sun, Yahoo, Citibank. They've all been hit at some point
because "X" wasn't secure. Right now I could register at
Comodogroup.com for a free signing cert for email. It means
nothing. Servers storing keys mean little since there is no
authority body to verify the validity of a security claim. So your
point is moot.

http://www.schneier.com/paper-pki-ft.txt

On Tue, 14 Mar 2006 12:50:54 -0500 "Forrest J. Cavalier III"
<mibsoft () mibsoftware com> wrote:
> "A chain is only as strong as its weakest link."
>
> When I get the GnuPG distribution from the non-secure
> http://gnupg.org (or a
> https://gnupg.org with a CAcert.org certificate) I get a
> distribution signed by
> Werner Koch's key issued one day after the previous signing key
> expired
> 2006-01-01.
>
> The previous expired GnuPG signing key has 160 signatures on the
> MIT keyserver.
>
> The new key is signed by Werner Koch's own certification key, and
> that's it.
>
> How secure is that certification key?  When I finger
> wk () g10code com (another
> insecure protocol) I get a keyblock.  Above the keyblock is some
> text which
> includes this sentence:
>
>    "The primary key is stored at a more or less secure place and
> only used on a
>     spare laptop which is not connected to any network."
>
> Can anyone estimate the incredible value of the communications and

> storage
> relying on software signed by that one guy with a "spare laptop in

> a more or
> less secure place"?
>
> One human being, vulnerable, fallible.  Can he be bought,
> blackmailed, coerced?
> Hit by a bus?
>
> Can this situation be improved?  I say yes.
>
> Maybe your company has never funded volunteer developers.  Maybe
> you asked, and
> found you don't do "donations."  Maybe you are just a single-
> person consulting
> business.
>
> Before last year, I had never paid anyone for all this great free
> beer.
>
> But last year I landed a contract that included the need to do
> secure code
> distribution automatically.  I could never have done it without
> calling OpenSSL
> libraries.  So, I used paypal to pay one of the lead developers of

> OpenSSL to do
> a code review.  We easily settled on a contract amount that gave
> me a great code
> review.  It was well worth it.  Fully tax deductible for me as a
> business expense.
>
> But the community got something too.
>
> As mutually agreed ahead of time, the developer got paid more than

> his straight
> regular consulting rate.  Now he could have kept that as a fat
> contract, and
> moved on.  But from his perspective, he covered his costs, and
> then looked at
> the "extra" as compensation for general OpenSSL improvements to
> benefit the
> whole community.
>
> This may be a way you can convince your company to fund volunteer
> developers
> too.  If a couple of users a week did that, wouldn't Werner Koch
> and colleagues
> put some effort towards making stronger weakest links?  Wouldn't
> all of us benefit?
>
> Now back to this weakest link.  Does Werner Koch and colleagues
> have a Paypal
> account or other verified way of receiving electronic payments
> easily?
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wkYEARECAAYFAkQYgEkACgkQo8cxM8/cskpuoQCfeOoTBVkLLypT/cy+Pp34Zv/pTzQA
oISNgTkqxWmIonkVfjIrkvkHI7An
=j6Gj
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485