Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org, tech-userlevel@NetBSD.org>
From: Marc Tooley <netbsdMLpostNO@SPAM.quake.ca>
Date: 05/14/2004 12:07:15
On Friday 14 May 2004 09:53, Love wrote:
> Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:
> > Wouldn't a web-of-trust be a more reliable source of public key
> > information than a top-down hierarchy? I can be "more" sure that
> > the NetBSD public key is the real public key if a bunch of trusted,
> > intelligent friends also think it's the right public key.
> I'm sure we can get your trusted intelligent friends to sign the
> CA-certificate file with their pgp keys once they have make sure its
> the right certificate.
It seems to me that from a user's perspective, GnuPG or even PGP is
relatively simple to use while manual intervention in any openssl
process would be.. painful due to a near-complete lack of useful
documentation. And, without the ability of more users to satisfy
themselves that the packages are indeed from NetBSD, using such signing
mechanisms becomes useless; how did that line go in Spies Like Us.. "A
weapon unused is a useless weapon." While that was silly
military-mocking humour, it seems that "An encryption system unused is
a useless encryption system" might be a little more apt here.
My point is that core is more than capable of using both GPG and OpenSSL
effectively. Our common users, on the other hand, are probably not even
aware that openssl can be used in a package-authenticating manner, let
alone how to invoke or interpret the necessary commands.
Finally, if GPG is required anyway to satisfy a web of trust, then the
result will be a mesh of different cryptographic dependencies for those
people who are unfamiliar with openssl methods.
If one is technically superior over the other, great. I'll be quiet. But
it seems a little disingenuous to assert that GPG's user interface
sucks so hard when I think it's obvious that openssl's sucks pretty
hard too. Isn't the solution being proposed that ssl be linked into
software which makes it friendlier? Isn't that a non-sequiteur in that
the reason for going with *ssl is because of GnuPG's rotten user
Thor said: "...its horrendous user interface which betrays an utter lack
of understanding of the key role that usability plays in the actual
secure use of security software."
.. umm.. :)
> > I'd like to avoid being snaggled one afternoon downloading some new
> > packages that are signed by a key I thought was genuine.
> That why you use a attribute in the x509 certificate (called extented
> keyusage) that marks the certificate as a code signing certificate
> approved by the CA.
I'm aware of that attribute; the point was that the hierarchical trust
model espoused by Thor seems to throw the concept of web-of-trust out
the window and seems to reduce user confidence in the validity of
NetBSD's hypothetical future CA cert.
Just my opinion. No code flows from me so of course opinion it'll stay,
but there it is.