Re: debcheckroot v2.0 released
Am 26.03.20 um 03:50 schrieb Paul Wise:
On Wed, 2020-03-25 at 11:27 +0100, Elmar Stellnberger wrote:
OpenPGP is no solution to the issue.
DANE is not gonna disappear.
I guess we will have to agree to disagree, end of thread for me.
I am far from not having to say more about it. Most people who
provide signatures store their private key on a machine also used for
web browsing. I know this also applies to Debian because keeping the key
secure or at best offline would require some considerable provisions and
AFAIK none of you have implemented a separation of concerns i.e. one
computer for browsing and another one for secure ssh connections.
That would be required though to keep the secret key safe. We have an
arbitrary code execution bug in browsers every few month and that does
not count all the zero day exploits at all. Sites in the www are
commonly spoofed by secret services. Even the Snowden revelations do
tell (operation Quantum insert). That way the secret key is guaranteed
to be compromised a few milliseconds after its creation. The NSA also
has its own key stealing programme. I wanna tell you that you are better
off checking the SHA512SUM. That one, as soon as you have retrieved a
genuine one, can no more be spoofed.
Besides this it is a common attack vector to infect computers via
online updates. Once more they need to know the secret key in order to