[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4417027E.1070801@mibsoftware.com>
Date: Tue, 14 Mar 2006 12:50:54 -0500
From: "Forrest J. Cavalier III" <mibsoft@...software.com>
To: bugtraq@...urityfocus.com
Subject: GnuPG weak as one guy with a spare laptop.
"A chain is only as strong as its weakest link."
When I get the GnuPG distribution from the non-secure http://gnupg.org (or a
https://gnupg.org with a CAcert.org certificate) I get a distribution signed by
Werner Koch's key issued one day after the previous signing key expired
2006-01-01.
The previous expired GnuPG signing key has 160 signatures on the MIT keyserver.
The new key is signed by Werner Koch's own certification key, and that's it.
How secure is that certification key? When I finger wk@...code.com (another
insecure protocol) I get a keyblock. Above the keyblock is some text which
includes this sentence:
"The primary key is stored at a more or less secure place and only used on a
spare laptop which is not connected to any network."
Can anyone estimate the incredible value of the communications and storage
relying on software signed by that one guy with a "spare laptop in a more or
less secure place"?
One human being, vulnerable, fallible. Can he be bought, blackmailed, coerced?
Hit by a bus?
Can this situation be improved? I say yes.
Maybe your company has never funded volunteer developers. Maybe you asked, and
found you don't do "donations." Maybe you are just a single-person consulting
business.
Before last year, I had never paid anyone for all this great free beer.
But last year I landed a contract that included the need to do secure code
distribution automatically. I could never have done it without calling OpenSSL
libraries. So, I used paypal to pay one of the lead developers of OpenSSL to do
a code review. We easily settled on a contract amount that gave me a great code
review. It was well worth it. Fully tax deductible for me as a business expense.
But the community got something too.
As mutually agreed ahead of time, the developer got paid more than his straight
regular consulting rate. Now he could have kept that as a fat contract, and
moved on. But from his perspective, he covered his costs, and then looked at
the "extra" as compensation for general OpenSSL improvements to benefit the
whole community.
This may be a way you can convince your company to fund volunteer developers
too. If a couple of users a week did that, wouldn't Werner Koch and colleagues
put some effort towards making stronger weakest links? Wouldn't all of us benefit?
Now back to this weakest link. Does Werner Koch and colleagues have a Paypal
account or other verified way of receiving electronic payments easily?
Powered by blists - more mailing lists