gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]

Jean-David Beyer jeandavid8 at verizon.net
Fri Apr 5 20:16:22 CEST 2013


On 04/05/2013 11:39 AM, Stan Tobias wrote:
> The problem we're trying to solve here is how to ascertain originality
> of a software development line, IOW how to authenticate it.

What I do is get my OS (a Linux distribution from Red Hat) on a DVD
directly from them. It contains, along with everything else, their
public key that I do not validate by any other means; I assume that it
is authentic. And they sign all the software they download to me from
their site. So unless a man in the middle, working for the Post Office
or UPS or FedEx (I forget which) substitutes DVDs ... . But as long as
Mr. Red and Ms. Hat can be trusted, I do not care if they are the two
individuals, a corporation, or what.

SO

* I am not protected from any black hats subversively working for Red Hat.

* I am not protected if their site is highjacked by black hats until
they discover it and correct it. But unless they also hijack the
computer not connected to the Internet (see below), this will not be enough.

* I am not protected if the DNS is damaged somewhere and when my update
software tries to get updates from Red Hat, some other site that has Red
Hat's private key signs whatever they choose to download to my machine.
I suppose bribery or physical violence might get that key faster than
exhaustive search... .

Probably the software Red Hat supplies is kept on a machine that is not
on the Internet and it is all signed on that machine. At which point,
the signed software is placed on an Internet-connected machine for
downloading (seems like a good idea to me).



More information about the Gnupg-users mailing list