[Gpg4win-users-en] key 0xEC70B1B8 trustable ? Self-signed SSL cert in DANE dnssec ?

Bernhard Reiter bernhard at intevation.de
Wed Nov 20 12:15:02 CET 2013

Hi Bry8,

On Saturday 16 November 2013 at 17:09:35, Bry8 Star wrote:
> Is the gpg4win pkg signing key 0xEC70B1B8 trust-able ?

yes (up to a certain point, which is normal for all certificates).

At Intevation about 10 people have access to the certificate
and its length is 1024D. So it is _not_ a high security certificate,
but was considered sufficient to secure contents integrity three years ago.

> What is the full fingerprint ?

pub   1024D/EC70B1B8 2010-03-19 Intevation File Distribution Key 
<distribution-key at intevation.de>
 Primary key fingerprint: 61AC 3F5E E4BE 593C 13D6  8B1E 7CBD 620B EC70 B1B8

> Why it's full key is not shown over a HTTPS secured webpage ?

It is at https://ssl.intevation.de/Intevation-Distribution-Key.asc
We should link this from http://gpg4win.org/package-integrity.html 
good point.

> Why WK (Werner Koch) has not signed it ?

Werner does not sign many certificates anymore. 
Also I think we have never asked him. :)

> How a regular FIRST time gpg4win users suppose to trust binary
> packages ?

The executable is signed by
           ID: 0x00CFA0EC
          S/N: 112117F638BDC993B761C6073D63C2F86EC4
       Issuer: /CN=GlobalSign CodeSigning CA - G2/O=GlobalSign nv-sa/C=BE
      Subject: /CN=Intevation GmbH/O=Intevation 
GmbH/L=Osnabrueck/ST=Niedersachsen/C=DE/EMail=codesigning at intevation.de
     validity: 2013-06-20 14:48:08 through 2016-09-10 09:27:26
     key type: 2048 bit RSA
    key usage: digitalSignature
ext key usage: codeSigning (suggested)
  fingerprint: 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC

GobalSign's root certificate is in the Microsoft Certificate "Program",
so if you trust your operating system's standard root certificates
you could trust this check as well.

To us this is the way most users would expect this to happen,
integrity get's checked by their operating system.
The other methods are additional ways.

> Why are you not signing your website's DNS with DNSSEC ? (or Why are
> you not placing your site's DNSSEC code in ISC DLV (free) site ? )
> Why are you not declaring your own website's own SSL cert's hash in
> the TLSA/DANE dns record ?

Right now we are not serving gpg4win.org via https, this is because we did not 
buy a full https certificate for it. As you know, each full domain name needs
a paid for ssl certificate (about 400 Euro /2 years) and this needs to be 
configured. Partly this is about the effort, partly we are sceptics of the 
PKI systems with the common set of browser root certificates. They are way to 
expensive and not many checks done, so why pay them even that little?

Securing DNS better is an idea, we will think about.
(It competes with a lot of other ideas how to improve the Gpg4win security
and user experience. And we are in search of funding.)

Thanks for your suggestions!

www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20131120/b34da705/attachment.sig>

More information about the Gpg4win-users-en mailing list