[Gpg4win-users-en] Problems with Gpg4Win Verification Operations (and a couple of apparent bugs)

Juan Miguel Navarro Martínez juanmi.3000 at gmail.com
Mon May 25 01:13:47 CEST 2015 

David Kronlid:
> I think the main problem here is that "Lsmoke3" didn't understand 
> that he needs to create his own key and use it to create trust in 
> other keys that he has downloaded from the Internet. The other 
> problems with sha256 and command-line are just the backup plans 
> that didn't work either. If there is a bug at all it might be with 
> sha256 I've never tried it so I don't know, but I don't think the 
> command-line or setting the trust level of keys aren't bugs at all,
> just user errors from a beginner.
> 
> Lsmoke3, you really only need to use the gui kleopatra and never 
> need to use the command line for verifying a download. But you also
> need to create or import your own gpg keys to set trust in other
> keys you download from the Internet or get from friends.
> 

I've already mentioned that in my first reply, so right now we are
waiting for OP to reply.

> Gpg4win/gnupg doesn't make it very easy for beginners as they have 
> created a WOT system that doesn't create much trust at all but 
> instead registers people's connections to each other for all 
> eternity on the web, and have added a feature where you have to 
> sign the trust level of downloaded keys with your own key, making 
> it difficult for beginners. So it's not very user friendly and 
> that's the problem, it's not a bug to have a difficult environment 
> to use it's just not as user friendly as people expect a software 
> to be. Especially if the only thing they want to do is to very that
> a download isn't corrupted or comes from the wrong source. That
> thing could be much easier, and it was easier before. It's the new
> "features" that are causing the problems in this case I think 
> together with a user who doesn't want to spend hours learning how 
> to verify a download through Gpg4win.
> 
It really is not user-friendly, but the WoT creates trust if you used it
correctly. After all, we live in a world created by trust from our
family and friends, and its up to the person to think how much trust you
would give to them.

But anyways, if an user only wants a easy way to verify files without
going the GPG way, using programs like sha256sum or sha512sum on
GNU/Linux and Mac and Hashtab or other Third-Party checksum programs for
Windows should work fine.

> So removing some unnecessary features or making them 
> optional/removable in the installation and later in the settings 
> would be a good thing for beginners when using gpg4win. And later 
> if people really want to use their own keys to set a trust level of
> a key they just downloaded from the same website they downloaded
> the iso-file from, then fine let them add that feature later.
> 

That's up to Gpg4Win developers, but I don't think they will remove
fundamental features from GnuPG.

Most feature are already optional though, you can verify the files, you
just won't be able to (local) sign the key and make it appear green box
in Kleopatra or Thunderbird. Besides it would be a bad practice to just
straight-forward sign someone else key without knowing that key came
from the real person.

Local signing is a good way to signing key without worrying to enter
into the Web of Trust, but it also should be used careful.

> But honestly, if the website is hacked/replaced the 
> hackers/ISP/Country probably will have changed both the public key,
> signature file and the iso file so that people downloading both
> would just create trust in the fake gpg public key anyway. But
> that's a whole other problem which gpg can't solve as there's no
> verified database of public keys, so the hacker/ISP/country can 
> just change both the iso file, pgp signature file and the key who 
> created it all at once. So that's a more difficult problem to 
> solve.
> 

That's why SSL existed, and why TLS exists now, so that ISPs can't just
MITM HTTP sessions. As of countries, then nothing could be trusted in
that country either, not even what appears to be Google.

About a verified database, the Web of Trust was designed so that there
would be a decentralized verification process instead of a centralized
one, like in HTTPS, where you have to trust that person or someone that
know that person for real instead of automatically trusting a
certificate authority (StartCom Ltd., DigiCert Inc. and the upcoming
Let's Encrypt CA) blindly. They or their users could screw things up as
mentioned in Tails website "Man in the Middle" page[1] about two CAs,
Comodo's afiliate[2] and DigiNotar[3].

WoT is the Internet way of not straight-foward trusting that shiny
Debian 10 "Zurg" DVD file from a person in a Computer convention that
claims to be one of Project Debian developers.

PS: Implied but I think it's obvious I just invented Debian 10 existence
and its possible codename as of this email creation time.

[1]:
https://tails.boum.org/doc/about/warning/index.en.html#man-in-the-middle
[2]: https://blog.comodo.com/other/the-recent-ra-compromise/
[3]:
https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it

-- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20150524/0fbb540a/attachment.sig>

More information about the Gpg4win-users-en mailing list