Re: TLS encrypted source for Debian iso signing keys?
Might work in your reality, but not in mine.
In fact I know no one who is using Debian. They rather stick with
pirated Windoze. Even Linux users are very rare. Even more rare are
people using encryption. None of them is using gpg.
>From my location I'd have to take a flight.
Posting gpg signing keys works for many other websites. How it works and
how I suggest...
- Go to https://some-project-website.com.
- Some root CA vouches for the identity of some-project-website.com.
- The author posts his gpg public key (fingerprint) somewhere on
https://some-project-website.com.
- The root CA proofes that the gpg public key belongs to the admin of
some-project-website.com. (Possible breach in server security or root
CA.)
- The fingerprint was authenticated over SSL and at least the root CA
vouched for it, better than no one.
- Download the software.
- Download the hash.
- Gpg verifiy the hash.
- Compare the has with the software.
Agreed, that's not safe as gpg but it's still safer than no verification
at all.
For demonstration some imaginative values...
Probability, that
- download without any verification and attacker inserts a backdoor =
0,01 %
- download gpg key over SSL (root CA), gpg verify, root CA gets broken
and attacker inserts a backdoor = 0,001 %
- using gpg web of trust properly, someone found a flaw (zero day, no
one told about) in gpg, can impersonate any signature and attacker
inserts a backdoor = 0,0001 %.
There can no perfect security. There can be no guarantees. You can only
higher the effort for an attacker to break the system.
--
http://www.fastmail.fm - Access all of your messages and folders
wherever you are
Reply to: