Am 26.03.20 um 03:50 schrieb Paul Wise:
On Wed, 2020-03-25 at 11:27 +0100, Elmar Stellnberger wrote:OpenPGP is no solution to the issue. DANE is not gonna disappear.I guess we will have to agree to disagree, end of thread for me.
I am far from not having to say more about it. Most people who provide signatures store their private key on a machine also used for web browsing. I know this also applies to Debian because keeping the key secure or at best offline would require some considerable provisions and AFAIK none of you have implemented a separation of concerns i.e. one computer for browsing and another one for secure ssh connections. That would be required though to keep the secret key safe. We have an arbitrary code execution bug in browsers every few month and that does not count all the zero day exploits at all. Sites in the www are commonly spoofed by secret services. Even the Snowden revelations do tell (operation Quantum insert). That way the secret key is guaranteed to be compromised a few milliseconds after its creation. The NSA also has its own key stealing programme. I wanna tell you that you are better off checking the SHA512SUM. That one, as soon as you have retrieved a genuine one, can no more be spoofed. Besides this it is a common attack vector to infect computers via online updates. Once more they need to know the secret key in order to do so!