Hi all, I've been fairly quite after the original post, as I'm out of the country for the next week. But I do want to reply (and hope to give a better reply once I'm back home). I do agree that sophisticated Man in the Middle attacks are hard to do. And I'm well aware of the idea that PGP stood for privacy that was "Pretty Good", not perfect. And in the chain of trust, there is only "good enough" because the Rabbit Hole goes down forever (do you trust your cpu and it's microcode, the bios, the people who signed a key/cert, and yeah, the NSA could be sniffing for EM signatures of harddrive writes). And of course, I'd be disapointed if the GPG community wasn't quick to raise thes issues and point out every suttle error of argument in the original email. After all, this is a coommunity dedicated to establishing the meaning of a circle of trust.
But I'm afraid that RJH here is the only one who really focused on the true intent of the original emiail. It was really quite a simple objective... I want "Pretty Good" certainty that the .EXE I download is the .EXE produced by the GPG community. And in the case of Windows, this Pretty Good certainy when downloading the Win32 GPG client is the important first step in establishing an ongoing PGP style chain of trust. Using the downloaded Win32 GPG client to then check it's own integrity, absent some other available check, just doesn't meet what I'd consider "Pretty Good" message integrity (nor is it "Pretty Bad"... yes, it's somewhere in the middle, as script kiddies would find it difficult to hack and the NSA would surely win regardless if they tried). I really respect RJH's reply, as he gave concrete recommendations on how I can verify the authenticity of the download. It's a bit user-unfriendly, as it involves getting a trusted copy of linux first, but that can be done. I thank you Robert. So here's the suggestion... for only $80/year for a 3-year certificate, you can sign the EXE using the Windows Authenticode standard (or the mac code signing standard, or the Java Jar signing standard, and many other systems that use CERTS for code signing). Then, everyone downloading GPG onto Windows, Mac, or elsewhere can verify the signature on the downloaded file. Is it perfect, no. Could the private key be stolen. Of course. But is it "Pretty Good" by the community standard. You bet. And now GPG can be used from there on, establishing access to the GPG circule of trust for that PC/Mac/machine. To the community, I ask... rather than having a debate of the nature of vulnerabilities and how easy it is for a 4-year-old linux based home router to be hacked or which skills would be needed to use that hacked router in an MTM attack, why not ask ourselves how we can do a little bit more to make our privacy even more secure. As a community, we do value message integrity, privacy, trust, and certainty, yes? Codomo will sell a 3-year cert for $240. Heck, I'll even throw in the $240 if the community agrees to use cert to sign future Windows & Mac clients using the native OS's code signing system (Authenticode on windows). In summary, a program can't remain "Pretty Good" for long, if people aren't always looking for ways to make "Pretty Good" even better. And after all, isn't that what this community is about? Making Pretty Good even better, and trust accessible to everyone, regardless of platform. With Regards, Doug
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
