plaintext non-ssl distribution - who things this is a good idea?

Bernhard Reiter bernhard at intevation.de
Fri Sep 11 09:21:02 CEST 2015


Hi all,

On Friday 11 September 2015 at 00:15:51, Daniel Kahn Gillmor wrote:
> On Thu 2015-09-10 18:05:35 -0400, Robert J. Hansen wrote:
> >> Who else thinks someone should spring for the $10 it would take to
> >> buy and install an SSL certificate for the principal distribution
> >> point of gpg and it's signatures on the worlds most popular
> >> platform?
> >
> > There are many better ways for Werner to spend his time and money.
> >
> > (Getting an Authenticode certificate, for instance.)

like Daniel wrote: It takes more than 10€ to do this.

Gpg4win already signs the installer with an authenticode certificate
(which costs a few hundered €s). 

For services like wald or wiki.gnupg.de, experts have a trustpath
via ca.intevation.de. 

However we believe it is useful to secure some services with TLS.

> But this is a "trusted introducer" problem, and
> the cartel is the only set of trusted introducers available to people
> who don't already have GnuPG.
>
> There is already discussion about getting HTTPS set up for gpg4win.org.
> Bernhard Reiter (cc'ed here) knows about it, and other offers of help
> have already been made over on gpg4win-users-en at wald.intevation.org,
> which is a better place to discuss gpg4win-specific issues.
>
> It's more an issue of getting an admin to spend a couple hours coaxing
> the website into compliance and dealing with the fallout from the SNI
> issues.

Yes. 
Background is that Gpg4win traditionally shares some services with some other 
Free Software initatives, so in comparision to a fresh setup we need to 
detangle and migrate some services. This needs some time and planning from
those that run the services. (And for some years now Gpg4win does not have
the same level of funding that GnuPG has recently aquired. So there are some
old structure to modernise.)

> Bernhard, is there anything else the rest of us can do to get this ball
> rolling?

Thomas (in cc) is one of our system administrators, he will steer the process
from our side and respond to your question (on 
gpg4win-users-en at wald.intevation.org I guess, but this is up to him. :) ).

Best,
Bernhard

-- 
www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150911/5597006b/attachment.sig>


More information about the Gnupg-users mailing list