Security Concern: Unsigned Windows Executable

Doug Bateman doug at
Sun Jun 7 07:01:06 CEST 2009

I want to follow up with this quote from Phil Zimmermann that has always
touched me deeply, and told me what PGP and the PGP community are all about,
and why having a system built ground up for trust, is so important...

Quoting Phil's testimony before congress:

I want to read you a quote from some E-mail I got in October 1993 from
someone in Latvia, on the day that Boris Yeltsin was shelling his own
Parliament building:

*"Phil I wish you to know: let it never be, but if dictatorship takes over
Russia your PGP is widespread from Baltic to Far East now and will help
democratic people if necessary. Thanks."*
Is it unreasonable to reach out to the needs of Windows & Mac users when
authenticating their copy of GPG?  Especially when it is so easy to do?
I'll pay the $240 for a 3 year cert, if you're willing to sign the client.
To me, it's about trust, freedom, and hope.  And I want everyone to have
access to that, even the PC users.

On Sat, Jun 6, 2009 at 9:56 PM, Doug Bateman <doug at> wrote:

> Hi all,
> I've been fairly quite after the original post, as I'm out of the country
> for the next week.  But I do want to reply (and hope to give a better reply
> once I'm back home).  I do agree that sophisticated Man in the Middle
> attacks are hard to do.  And I'm well aware of the idea that PGP stood for
> privacy that was "Pretty Good", not perfect.  And in the chain of trust,
> there is only "good enough" because the Rabbit Hole goes down forever (do
> you trust your cpu and it's microcode, the bios, the people who signed a
> key/cert, and yeah, the NSA could be sniffing for EM signatures of harddrive
> writes).  And of course, I'd be disapointed if the GPG community wasn't
> quick to raise thes issues and point out every suttle error of argument in
> the original email.  After all, this is a coommunity dedicated to
> establishing the meaning of a circle of trust.
> But I'm afraid that RJH here is the only one who really focused on the true
> intent of the original emiail.  It was really quite a simple objective... I
> want "Pretty Good" certainty that the .EXE I download is the .EXE produced
> by the GPG community.  And in the case of Windows, this Pretty Good certainy
> when downloading the Win32 GPG client is the important first step in
> establishing an ongoing PGP style chain of trust.  Using the downloaded
> Win32 GPG client to then check it's own integrity, absent some other
> available check, just doesn't meet what I'd consider "Pretty Good" message
> integrity (nor is it "Pretty Bad"... yes, it's somewhere in the middle, as
> script kiddies would find it difficult to hack and the NSA would surely win
> regardless if they tried).
> I really respect RJH's reply, as he gave concrete recommendations on how I
> can verify the authenticity of the download.  It's a bit user-unfriendly, as
> it involves getting a trusted copy of linux first, but that can be done.  I
> thank you Robert.
> So here's the suggestion... for only $80/year for a 3-year certificate, you
> can sign the EXE using the Windows Authenticode standard (or the mac code
> signing standard, or the Java Jar signing standard, and many other systems
> that use CERTS for code signing).  Then, everyone downloading GPG onto
> Windows, Mac, or elsewhere can verify the signature on the downloaded file.
> Is it perfect, no.  Could the private key be stolen.  Of course.  But is it
> "Pretty Good" by the community standard.  You bet.  And now GPG can be used
> from there on, establishing access to the GPG circule of trust for that
> PC/Mac/machine.
> To the community, I ask... rather than having a debate of the nature of
> vulnerabilities and how easy it is for a 4-year-old linux based home router
> to be hacked or which skills would be needed to use that hacked router in an
> MTM attack, why not ask ourselves how we can do a little bit more to make
> our privacy even more secure.  As a community, we do value message
> integrity, privacy, trust, and certainty, yes?  Codomo will sell a 3-year
> cert for $240.  Heck, I'll even throw in the $240 if the community agrees to
> use cert to sign future Windows & Mac clients using the native OS's code
> signing system (Authenticode on windows).
> In summary, a program can't remain "Pretty Good" for long, if people aren't
> always looking for ways to make "Pretty Good" even better.  And after all,
> isn't that what this community is about?  Making Pretty Good even better,
> and trust accessible to everyone, regardless of platform.
> With Regards,
> Doug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20090606/85a0269b/attachment.htm>

More information about the Gnupg-users mailing list