plaintext non-ssl distribution - who things this is a good idea?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Sep 11 00:15:51 CEST 2015


On Thu 2015-09-10 18:05:35 -0400, Robert J. Hansen wrote:
>> Who else thinks someone should spring for the $10 it would take to
>> buy and install an SSL certificate for the principal distribution
>> point of gpg and it's signatures on the worlds most popular
>> platform?
>
> There are many better ways for Werner to spend his time and money.
>
> (Getting an Authenticode certificate, for instance.)

This is not an either/or scenario, please don't pit the one project
against another.

Both can be addressed by dealing with the CA cartel.  It's frustrating
to do this, because we all know that the CA cartel is not particularly
trustworthy as a whole.  But this is a "trusted introducer" problem, and
the cartel is the only set of trusted introducers available to people
who don't already have GnuPG.

There is already discussion about getting HTTPS set up for gpg4win.org.
Bernhard Reiter (cc'ed here) knows about it, and other offers of help
have already been made over on gpg4win-users-en at wald.intevation.org,
which is a better place to discuss gpg4win-specific issues.

It's more an issue of getting an admin to spend a couple hours coaxing
the website into compliance and dealing with the fallout from the SNI
issues.

Bernhard, is there anything else the rest of us can do to get this ball
rolling?

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150910/35416ee6/attachment.sig>


More information about the Gnupg-users mailing list