Stefan Claas via Gnupg-users wrote: > Mark H. Wood via Gnupg-users wrote: > > > On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users > > wrote: > > > Juergen BRUCKNER wrote: > > > > > > > Hi Stefan > > > > > > > > Thats not the approach PGP pursues. > > > > PGP was, is and should continue to be decentralized in the future. It > > > > was never really intended to validate identities in a wide circle, but > > > > to secure communication, and - im parts - to ensure the integrity of > > > > software. > > > > > > Well, the integrity of software can also be shown with a simple hash > > > value posted, because I can not verify if the sig belongs to person > > > xyz, even when he / she has a lot of fan sigs from people unknown to > > > me. > > > > Yes, if you trust that the page with the hash on it has not been > > compromised. Once the bad guy is inside the site, changing the hash > > is just as easy as replacing the software. Signatures depend on > > material that is *not* in the same place with the signed object (if > > we're doing it right) and thus can be verified from independent > > sources. > > > > Simple hashes can only detect simple failures. They have no value > > against a careful adversary. > > The software author(s) can simply provide a, via blockchain, timestamped > record[1] of the original hash value. Additionally, from time to time, a > timestamped warrant canary would be welcome addition too.
P.S. And regarding PGP signatures, for security software releases; a *super nice* gesture, which would IMHO have a major impact in the OpenPGP ecosystem, would be if authors of security software which are German nationals would have *certified* their software signing keys by the German CA Governikus[2]. [2] https://pgp.governikus.de/pgp/ Regards Stefan -- box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56 certified OpenPGP key blocks available on keybase.io/stefan_claas _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
