lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 14 Mar 2006 12:50:54 -0500
From: "Forrest J. Cavalier III" <mibsoft@...software.com>
To: bugtraq@...urityfocus.com
Subject: GnuPG weak as one guy with a spare laptop.


"A chain is only as strong as its weakest link."

When I get the GnuPG distribution from the non-secure http://gnupg.org (or a 
https://gnupg.org with a CAcert.org certificate) I get a distribution signed by 
Werner Koch's key issued one day after the previous signing key expired 
2006-01-01.

The previous expired GnuPG signing key has 160 signatures on the MIT keyserver.

The new key is signed by Werner Koch's own certification key, and that's it.

How secure is that certification key?  When I finger wk@...code.com (another 
insecure protocol) I get a keyblock.  Above the keyblock is some text which 
includes this sentence:

    "The primary key is stored at a more or less secure place and only used on a
     spare laptop which is not connected to any network."

Can anyone estimate the incredible value of the communications and storage 
relying on software signed by that one guy with a "spare laptop in a more or 
less secure place"?

One human being, vulnerable, fallible.  Can he be bought, blackmailed, coerced?
Hit by a bus?

Can this situation be improved?  I say yes.

Maybe your company has never funded volunteer developers.  Maybe you asked, and 
found you don't do "donations."  Maybe you are just a single-person consulting 
business.

Before last year, I had never paid anyone for all this great free beer.

But last year I landed a contract that included the need to do secure code 
distribution automatically.  I could never have done it without calling OpenSSL 
libraries.  So, I used paypal to pay one of the lead developers of OpenSSL to do 
a code review.  We easily settled on a contract amount that gave me a great code 
review.  It was well worth it.  Fully tax deductible for me as a business expense.

But the community got something too.

As mutually agreed ahead of time, the developer got paid more than his straight 
regular consulting rate.  Now he could have kept that as a fat contract, and 
moved on.  But from his perspective, he covered his costs, and then looked at 
the "extra" as compensation for general OpenSSL improvements to benefit the 
whole community.

This may be a way you can convince your company to fund volunteer developers 
too.  If a couple of users a week did that, wouldn't Werner Koch and colleagues 
put some effort towards making stronger weakest links?  Wouldn't all of us benefit?

Now back to this weakest link.  Does Werner Koch and colleagues have a Paypal 
account or other verified way of receiving electronic payments easily?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ