Re: Debian Users Can't Download CD's Integrity/Sign or file-Signing PubKey, Over HTTPS/HKPS Encrypted Connection
On Tue, 12 Jul 2016 02:06:58 +0000 (UTC), <aterik1@yahoo.com> said:
> in https://www.debian.org/CD/verify webpage: (1a) please Show+Enable
> HKPS based GPG KeyServer, or (1b) Allow Single GPG PUBKEY File
> Download (which is including all file-signing pubkeys), Over (HTTPS)
> ENCRYPTED CONNECTION.
For what purpose? Deliviring the public key over an encrypted
connection doesn't help in ensuring the validity of the key when the
fingerprint is already delivered over an HTTPS connection. The only
thing that it would help is in hiding what key(s) are being requested.
[...]
> CD/DVD image ISO file's GPG-SIGNATURE (sig/sign) FILE or SHAnnnSUMS
> INTEGRITY FILES (all of these files are very very TINY SIZED FILES
> (few KILOBYTES only), compared to the VERY large-sized main file, the
> ISO files). So AT-LEAST sig/sign file + Sums/Hash code files, need to
> be shared with all users (from "https://cdimage.debian.org"; or
> https://www.debian.org/CD/ website) over HTTPS encrypted
> connection/transfer.
Again, for what purpose? Delivering the signature files over HTTPS
doesn't help in ensuring the validity of the file, since it is validated
using GnuPG.
--
Hubert Chathi <uhoreg@debian.org> -- Jabber: hubert@uhoreg.ca
PGP/GnuPG key: 4096R/113A1368 https://www.uhoreg.ca/
Fingerprint: F24C F749 6C73 DDB8 DCB8 72DE B2DE 88D3 113A 1368
Reply to: