On 2024-08-23 06:27, Ineiev via Gnupg-users wrote:
On Thu, Aug 22, 2024 at 02:01:15PM +0200, Björn Persson wrote:
Those who already have GPG and the release-signing keys can verify the
next version of GPG that way. To anyone who doesn't already have GPG,
HTTPS is the best integrity protection they will get.
Meeting Werner in person may be a better option for some people.
Which is the major downfall of the PGP/GPG web of trust.  Most end users
never get to meet a member of the cabal that participate in the relevant
key signing parties, especially notin a context where key fingerprints
are shared.   This means that end users need to rely on published keys
and fingerprints, and in modern days the only widely available place to
read such published fingerprints is on CA-signed HTTPS sites, which
effectively chains the GPG key to the CA that signed the website

In contrast, when GPG/PGP was an underground phenomena, it was difficult
to get without knowing someone who knows someone, and public fingerprints
could (if needed) be posted in paper publications such as high
circulation papers like Frankfurter Allgemeine, Times of London or BYTE
Magazine with the assurance that the paper purchased at a Rome newsstand
was from the same physical print run as the ones sold near the developer's
home town (and not an Internet print on demand by a local print shop).


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Gnupg-users mailing list

Reply via email to