Re: OpenPGP keys

[Bruno Haible]

Simon Josefsson wrote:
> My primary goal is to have something stronger than a HTTPS URL to
> Savannah as a trust anchor for how to retrieve gnulib.  PGP signatures
> on a serialized file, like a tarball or git bundle, is stronger.

There's something I don't understand here. Can you please explain?

Ten years ago, PGP key signing parties were common. They are not common
any more. The prior knowledge summarization engine explains this with a
demise of the "web of trust" model (see attachment).

This is consistent with the following observation: When I download your
PGP key from https://savannah.gnu.org/users/jas, I see that it has only
self-signatures.

So, if the "web of trust" is dead, that is, people only self-sign their
keys, it means that Savannah trusts a developer's PGP key (and includes
it in the GNU keyring) *only* because that developer has submitted it via
the Savannah web interface, and for that he must have proven that he is
in possession of his Savannah web password.

Since an evil PGP key could be entered
  a) by an institution that is able to break the HTTPS of Savannah, or
  b) by an individual that is exploiting a web UI vulnerability of Savannah, or
  c) by an individual that has been hijacking the developer's desktop
     session for five minutes,
the authenticity of said PGP key is _weaker_ than the HTTPS of Savannah.

Hence, augmenting the HTTPS of Savannah with something that is weaker than
the HTTPS of Savannah does not add security. It merely adds a false impression
of added security. Right?

Bruno

openpgp-web-of-trust.odt
Description: application/vnd.oasis.opendocument.text