[Gpg4win-users-en] Untrused Site Certification

[Bernhard Reiter]

Hi Michael,

thanks for asking!

On Wednesday 22 July 2015 at 15:06:10, Michael Carbone wrote:
> Any updates on the progress of setting up gpg4win.org with its own SSL
> certificate? It's been two months.

We haven't made progress so far.

For us, it is mainly a "perception" issue, 
so most other points took precedence.
We know that perception is important,
but having a heavy workload this took the low end over
other issues with less "perception" to them.

> As others have highlighted on this list and elsewhere, this is a basic
> step towards enabling users to obtain gpg4win in a relatively secure &
> verified way.

The added real security is quite minimal.

The Gpg4win installer is code-signed, which means being secured by a 
certificate with usually is more expensive than typical TLS certificates for 
webpages. In addition it is signed with an OpenPGP cert.

Having a green or just a regular "lock" icon in the web-browser may be 
something that people are trained to look for, so Gpg4win currently deviates
from this pattern and goes against this training.
As the "lock" icon in many cases it does not give users a better assurance, 
this would be a chance for us as crypto community to explain why,
but we haven't gone around doing this, so your criticsm has a point.

I hope we'll get around doing something in September or October.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20150730/5ec6ef62/attachment.sig>