Did the discussion of continuing support for DANE end??
Hope its not too late to weigh in here.
Debian is used by a lot of people with differing security needs.
And trust is a difficult thing to come by.
Why would I trust that the Debian security team
is not cooperating with the FBI/CIA to catch my radical friends.
(Pick your favorite radical issue.)
And if I can't trust that,
why would I trust the GPG key that I download
from some apparently valid site?
DANE doesn't solve all the problems but it does tighten up
one avenue the absence of which that makes Debian less secure.
If I trust Paul or Elmar, personally,
then DANE give me some hope that I am really dealing with their sites.
Is that not correct?
Vince H.
On 2020/03/26 05:01 AM, Elmar Stellnberger wrote:
Am 26.03.20 um 03:50 schrieb Paul Wise:
On Wed, 2020-03-25 at 11:27 +0100, Elmar Stellnberger wrote:
OpenPGP is no solution to the issue.
DANE is not gonna disappear.
I guess we will have to agree to disagree, end of thread for me.
I am far from not having to say more about it. Most people who provide signatures
store their private key on a machine also used for web browsing. I know this also
applies to Debian because keeping the key secure or at best offline would require some
considerable provisions and AFAIK none of you have implemented a separation of concerns
i.e. one computer for browsing and another one for secure ssh connections.
That would be required though to keep the secret key safe. We have an arbitrary code
execution bug in browsers every few month and that does not count all the zero day
exploits at all. Sites in the www are commonly spoofed by secret services. Even the
Snowden revelations do tell (operation Quantum insert). That way the secret key is
guaranteed to be compromised a few milliseconds after its creation. The NSA also has its
own key stealing programme. I wanna tell you that you are better off checking the
SHA512SUM. That one, as soon as you have retrieved a genuine one, can no more be spoofed.
Besides this it is a common attack vector to infect computers via online updates. Once
more they need to know the secret key in order to do so!
