Subject: Re: adding gpg to src/gnu/dist
To: None <,>
From: Marc Tooley <>
List: tech-userlevel
Date: 05/14/2004 12:07:15
On Friday 14 May 2004 09:53, Love wrote:
> Marc Tooley <> writes:
> > Wouldn't a web-of-trust be a more reliable source of public key
> > information than a top-down hierarchy? I can be "more" sure that
> > the NetBSD public key is the real public key if a bunch of trusted,
> > intelligent friends also think it's the right public key.
> I'm sure we can get your trusted intelligent friends to sign the
> CA-certificate file with their pgp keys once they have make sure its
> the right certificate.

It seems to me that from a user's perspective, GnuPG or even PGP is 
relatively simple to use while manual intervention in any openssl 
process would be.. painful due to a near-complete lack of useful  
documentation. And, without the ability of more users to satisfy 
themselves that the packages are indeed from NetBSD, using such signing 
mechanisms becomes useless; how did that line go in Spies Like Us.. "A 
weapon unused is a useless weapon." While that was silly 
military-mocking humour, it seems that "An encryption system unused is 
a useless encryption system" might be a little more apt here.

My point is that core is more than capable of using both GPG and OpenSSL 
effectively. Our common users, on the other hand, are probably not even 
aware that openssl can be used in a package-authenticating manner, let 
alone how to invoke or interpret the necessary commands.

Finally, if GPG is required anyway to satisfy a web of trust, then the 
result will be a mesh of different cryptographic dependencies for those 
people who are unfamiliar with openssl methods.

If one is technically superior over the other, great. I'll be quiet. But 
it seems a little disingenuous to assert that GPG's user interface 
sucks so hard when I think it's obvious that openssl's sucks pretty 
hard too. Isn't the solution being proposed that ssl be linked into 
software which makes it friendlier? Isn't that a non-sequiteur in that 
the reason for going with *ssl is because of GnuPG's rotten user 

Thor said: "...its horrendous user interface which betrays an utter lack 
of understanding of the key role that usability plays in the actual 
secure use of security software."

..  umm.. :)

> > I'd like to avoid being snaggled one afternoon downloading some new
> > packages that are signed by a key I thought was genuine.
> That why you use a attribute in the x509 certificate (called extented
> keyusage) that marks the certificate as a code signing certificate
> approved by the CA.

I'm aware of that attribute; the point was that the hierarchical trust 
model espoused by Thor seems to throw the concept of web-of-trust out 
the window and seems to reduce user confidence in the validity of 
NetBSD's hypothetical future CA cert.

Just my opinion. No code flows from me so of course opinion it'll stay, 
but there it is.