On 2018-06-25 at 11:33, Jean Louis wrote: > If I receive PGP key from the same server, and PGP > signature, and package from same server, then > verification means just nothing.
OpenPGP public keys are normally pushed to a pool of key servers. So you can get the key from a different server. > PGP security works only if the key have been > verified with the trusted party who issued it. > > So in order to verify the key, I would need to > call developer, or SMS him, or otherwise use > communication channel that is trusted (even this > is not absolute), and then by exchanging > fingerprints, I would know I have his true PGP > key. > > Only thereafter I can use his public PGP key to > verify that package have been signed by his public > PGP key. This is not very practical, or even sufficient. It can verify a key, but it doesn't authenticate the key's owner. How secure is the method by which you found the phone number? How do you know that the voice on the other end is that of the maintainer? You can't very easily verify someone's identity by phone, especially in a publicly reproducible way (ask a question with a secret answer, and the answer is no longer secret, because an impersonator could get and repeat the same answer). OpenPGP has a more effective and distributed solution to this: the web of trust. Maintainers meet people who verify their identities in person and sign their keys (ideally either shared in full or identified by a full fingerprint or a sufficiently large ID). The people who meet the maintainers meet other people to have their identities verified and keys signed, and so on. If a user has met some people and verified and signed some keys, then there is likely to be at least one trust path somewhere, through N degrees of separation, that leads to the maintainer of the downloaded software they want to verify. GnuPG looks for such trust paths when using a key to verify a signature. In practice, this doesn't always work out, because not all users go around to key-signing parties to connect themselves into the web of trust. Such people could instead look up a maintainer on their favorite key server and look for a key that has numerous signatures from keys that in turn have numerous signatures. It's far from ideal but better than nothing. > So when requesting any security feature for > packages to be placed for downloading, let us not > dwell in some illusions of security. > > If users don't know how to verify PGP fingerprints > with the issues of the PGP key, and it is anyway > unlikely that any serious percentage would be > doing so, then we are wasting time by creating > apparent security. The perfect is the enemy of the good. Sure, perfect security is impossible, but that doesn't mean we should give up on having any security at all. Security is not a binary thing; it's a matter of best efforts, defense in depth, and deterring an attacker at least long enough that they give up. As long as the threat model and weaknesses are considered (i.e. not having a false sense of perfect security), any level of security is better than none. -- Patrick McDermott, CEO Libiquity Putting customers in control of high-quality technologies http://www.libiquity.com/