<<< Date Index >>>     <<< Thread Index >>>

GnuPG weak as one guy with a spare laptop.



"A chain is only as strong as its weakest link."

When I get the GnuPG distribution from the non-secure http://gnupg.org (or a https://gnupg.org with a CAcert.org certificate) I get a distribution signed by Werner Koch's key issued one day after the previous signing key expired 2006-01-01.

The previous expired GnuPG signing key has 160 signatures on the MIT keyserver.

The new key is signed by Werner Koch's own certification key, and that's it.

How secure is that certification key? When I finger wk@xxxxxxxxxxx (another insecure protocol) I get a keyblock. Above the keyblock is some text which includes this sentence:

   "The primary key is stored at a more or less secure place and only used on a
    spare laptop which is not connected to any network."

Can anyone estimate the incredible value of the communications and storage relying on software signed by that one guy with a "spare laptop in a more or less secure place"?

One human being, vulnerable, fallible.  Can he be bought, blackmailed, coerced?
Hit by a bus?

Can this situation be improved?  I say yes.

Maybe your company has never funded volunteer developers. Maybe you asked, and found you don't do "donations." Maybe you are just a single-person consulting business.

Before last year, I had never paid anyone for all this great free beer.

But last year I landed a contract that included the need to do secure code distribution automatically. I could never have done it without calling OpenSSL libraries. So, I used paypal to pay one of the lead developers of OpenSSL to do a code review. We easily settled on a contract amount that gave me a great code review. It was well worth it. Fully tax deductible for me as a business expense.

But the community got something too.

As mutually agreed ahead of time, the developer got paid more than his straight regular consulting rate. Now he could have kept that as a fat contract, and moved on. But from his perspective, he covered his costs, and then looked at the "extra" as compensation for general OpenSSL improvements to benefit the whole community.

This may be a way you can convince your company to fund volunteer developers too. If a couple of users a week did that, wouldn't Werner Koch and colleagues put some effort towards making stronger weakest links? Wouldn't all of us benefit?

Now back to this weakest link. Does Werner Koch and colleagues have a Paypal account or other verified way of receiving electronic payments easily?