Re: GnuPG weak as one guy with a spare laptop.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What is your point exactly? How secure are Verisign, Thawte or
anyone elses servers outside of them just stating "We take X
Precautions". Look at just about all of the top companies,
Microsoft, Sun, Yahoo, Citibank. They've all been hit at some point
because "X" wasn't secure. Right now I could register at
Comodogroup.com for a free signing cert for email. It means
nothing. Servers storing keys mean little since there is no
authority body to verify the validity of a security claim. So your
point is moot.
http://www.schneier.com/paper-pki-ft.txt
On Tue, 14 Mar 2006 12:50:54 -0500 "Forrest J. Cavalier III"
<mibsoft@xxxxxxxxxxxxxxx> wrote:
>"A chain is only as strong as its weakest link."
>
>When I get the GnuPG distribution from the non-secure
>http://gnupg.org (or a
>https://gnupg.org with a CAcert.org certificate) I get a
>distribution signed by
>Werner Koch's key issued one day after the previous signing key
>expired
>2006-01-01.
>
>The previous expired GnuPG signing key has 160 signatures on the
>MIT keyserver.
>
>The new key is signed by Werner Koch's own certification key, and
>that's it.
>
>How secure is that certification key? When I finger
>wk@xxxxxxxxxxx (another
>insecure protocol) I get a keyblock. Above the keyblock is some
>text which
>includes this sentence:
>
> "The primary key is stored at a more or less secure place and
>only used on a
> spare laptop which is not connected to any network."
>
>Can anyone estimate the incredible value of the communications and
>storage
>relying on software signed by that one guy with a "spare laptop in
>a more or
>less secure place"?
>
>One human being, vulnerable, fallible. Can he be bought,
>blackmailed, coerced?
>Hit by a bus?
>
>Can this situation be improved? I say yes.
>
>Maybe your company has never funded volunteer developers. Maybe
>you asked, and
>found you don't do "donations." Maybe you are just a single-
>person consulting
>business.
>
>Before last year, I had never paid anyone for all this great free
>beer.
>
>But last year I landed a contract that included the need to do
>secure code
>distribution automatically. I could never have done it without
>calling OpenSSL
>libraries. So, I used paypal to pay one of the lead developers of
>OpenSSL to do
>a code review. We easily settled on a contract amount that gave
>me a great code
>review. It was well worth it. Fully tax deductible for me as a
>business expense.
>
>But the community got something too.
>
>As mutually agreed ahead of time, the developer got paid more than
>his straight
>regular consulting rate. Now he could have kept that as a fat
>contract, and
>moved on. But from his perspective, he covered his costs, and
>then looked at
>the "extra" as compensation for general OpenSSL improvements to
>benefit the
>whole community.
>
>This may be a way you can convince your company to fund volunteer
>developers
>too. If a couple of users a week did that, wouldn't Werner Koch
>and colleagues
>put some effort towards making stronger weakest links? Wouldn't
>all of us benefit?
>
>Now back to this weakest link. Does Werner Koch and colleagues
>have a Paypal
>account or other verified way of receiving electronic payments
>easily?
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wkYEARECAAYFAkQYgEkACgkQo8cxM8/cskpuoQCfeOoTBVkLLypT/cy+Pp34Zv/pTzQA
oISNgTkqxWmIonkVfjIrkvkHI7An
=j6Gj
-----END PGP SIGNATURE-----
Concerned about your privacy? Instantly send FREE secure email, no account
required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485