[Gpg4win-users-en] key 0xEC70B1B8 trustable ? Self-signed SSL cert in DANE dnssec ?
bernhard at intevation.de
Wed Nov 20 12:15:02 CET 2013
On Saturday 16 November 2013 at 17:09:35, Bry8 Star wrote:
> Is the gpg4win pkg signing key 0xEC70B1B8 trust-able ?
yes (up to a certain point, which is normal for all certificates).
At Intevation about 10 people have access to the certificate
and its length is 1024D. So it is _not_ a high security certificate,
but was considered sufficient to secure contents integrity three years ago.
> What is the full fingerprint ?
pub 1024D/EC70B1B8 2010-03-19 Intevation File Distribution Key
<distribution-key at intevation.de>
Primary key fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8
> Why it's full key is not shown over a HTTPS secured webpage ?
It is at https://ssl.intevation.de/Intevation-Distribution-Key.asc
We should link this from http://gpg4win.org/package-integrity.html
> Why WK (Werner Koch) has not signed it ?
Werner does not sign many certificates anymore.
Also I think we have never asked him. :)
> How a regular FIRST time gpg4win users suppose to trust binary
> packages ?
The executable is signed by
Issuer: /CN=GlobalSign CodeSigning CA - G2/O=GlobalSign nv-sa/C=BE
Subject: /CN=Intevation GmbH/O=Intevation
GmbH/L=Osnabrueck/ST=Niedersachsen/C=DE/EMail=codesigning at intevation.de
validity: 2013-06-20 14:48:08 through 2016-09-10 09:27:26
key type: 2048 bit RSA
key usage: digitalSignature
ext key usage: codeSigning (suggested)
GobalSign's root certificate is in the Microsoft Certificate "Program",
so if you trust your operating system's standard root certificates
you could trust this check as well.
To us this is the way most users would expect this to happen,
integrity get's checked by their operating system.
The other methods are additional ways.
> Why are you not signing your website's DNS with DNSSEC ? (or Why are
> you not placing your site's DNSSEC code in ISC DLV (free) site ? )
> Why are you not declaring your own website's own SSL cert's hash in
> the TLSA/DANE dns record ?
Right now we are not serving gpg4win.org via https, this is because we did not
buy a full https certificate for it. As you know, each full domain name needs
a paid for ssl certificate (about 400 Euro /2 years) and this needs to be
configured. Partly this is about the effort, partly we are sceptics of the
PKI systems with the common set of browser root certificates. They are way to
expensive and not many checks done, so why pay them even that little?
Securing DNS better is an idea, we will think about.
(It competes with a lot of other ideas how to improve the Gpg4win security
and user experience. And we are in search of funding.)
Thanks for your suggestions!
www.intevation.de/~bernhard (CEO) www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: This is a digitally signed message part.
More information about the Gpg4win-users-en