sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

From: Heiko Richter
Subject: Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]
Date: Sun, 14 Jan 2018 18:23:59 +0000 (UTC)
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 
Am 14.01.2018 um 16:55 schrieb Kristian Fiskerstrand:
> On 01/14/2018 01:04 PM, Heiko Richter wrote:
>> The fact that your GPG client shows a secure connection is
>> either due to a faulty/incomplete validation algorithm that doesn't
>> check the ca signature of the servers cert or because "Kristian-CA" is
>> hardcoded into GnuPG. I don't know which one it is and don't really care
>> because both situations would be relics of 90s-incompetence that
>> compromise security and should have been removed from gnupg years ago.
> Quite the contrary, this is the correct behavior from a security
> perspective. And yes, the CA is included for the pool specifically.
>
> Using HKPS from web browser is less of an issue as that is wrong use of
> keyservers in nine out of ten situations as a local client is anyways
> needed to properly validate the packet information provided in the
> OpenPGP keyblock.
>
> That said I'm a bit surprised about this discussion, nobody is required
> to use a single pool of keyservers.
>
And another person fighting for things that were abolished decades ago.

Sorry Kristian, but hardcoding a root certificate into a program has
*never* been any kind of accepted security system. Quite the opposite,
any program doing this is insecure because there is no way of revocing
that root certificate. Roots don't belong into programs but into trusted
certificate stores that are distributed in regular intervals and can be
updates independent of the program. I understand why this was done when
there was no other way, because Open Source projects don't have the
money to buy trusted certificates. But with the establishment of Let's
Encrypt that's just a security hole nobody needs anymore. You sign
certificates that are valid for a year and you have no way of revocation
that will make its way to the clients. That's just wrong.

And again: It's not about the browsers, the fact that they seem to be
the only programs that do *real* certificate validation because most
other software uses concepts out of the stoneage is not a reason. It's
the definition of stupidity!

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]