Re: [dev] dl.suckless.org file integrity github project

From: Anselm R Garbe <garbeam_AT_gmail.com>
Date: Sun, 27 Aug 2017 15:26:29 +0200

On 27 August 2017 at 00:19, Mattias Andrée <maandree_AT_kth.se> wrote:
> The user's must be able to find the appropriate keys some way the first
> time, so suckless must at least have links to them. If suckless is
> compromised these can be replaced. PGP keys only ensure that future
> keys are not fraudulent as all new key should be signed by the old keys.
> SSL certificates ensures that the PGP keys are not tempered with by
> anyone outside suckless. Thus, hosting the keys one suckless.org, when
> it has HTTPS, is more secure that every ones private home pages outside
> suckless.org that do not have SSL certificates.

Perhaps I'm old-fashioned, but in the older days there used to be the
strategy to display your pgp fingerprint in mail signatures and lot's
of other places, to ensure that during time and a high degree of
footprint throughout the net, it would be a rather easy congnitive
task to base trust on that.

But I didn't notice this approach for a while and did stop it myself
back in 2008 or so...

BR,
Anselm
Received on Sun Aug 27 2017 - 15:26:29 CEST

This archive was generated by hypermail 2.3.0 : Sun Aug 27 2017 - 15:36:17 CEST