Re: Web of Trust (a revolution)
On Wed, 2009-04-01 at 12:08 -0400, m wrote: > I asked at the DMV once, > naturally the response was a somewhat less than spectacular "proves > you > were born." So the fact that I live and breathe is not proof enough > that > someone gave birth to me? At our local DMV you'll grow old & grey waiting to ask. -- Hooroo, Simon Registered Linux User #463789. Be counted at: http://counter.li.org/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On 4/1/2009 12:08 PM, m wrote: > David wrote: >> On 4/1/2009 10:13 AM, Craig White wrote: >>> On Wed, 2009-04-01 at 14:49 +0100, Alan Cox wrote: > I use a state issued picture driver license, a birth certificate, > and a US > Passport. Which doesn't prove you are not one of identical twins ;) >>> >>> which is an important distinction if you happen to be the paranoid >>> schizophrenic twin... >>> http://www.amazon.com/Know-This-Much-True-Novel/dp/0061469084/ref=pd_bbs_sr_1 >>> Great book >>> Craig >>> ps - then again, the fingerprints would likely be identical >> True. But I also have concealed carry permits in four different states >> and >> they take fingerprints and run background checks. :-P >> Maybe I should have said that my mother assured me that I am me? >> Only the paranoid I guess. > Yes its a paranoid world. My question though, after reading this thread, > is of what real use is birth certificate? I asked at the DMV once, > naturally the response was a somewhat less than spectacular "proves you > were born." So the fact that I live and breathe is not proof enough that > someone gave birth to me? Perhaps it should be called an identity > certificate instead. Anyone want to join my support group for the > insanely pedantic. In the US of A you need one to be President? To get a passport. And, in Florida, today, and all other states eventually, to get a drivers license. I have ID badges that let me work on certain schools in certain counties. You need a drivers license to get it. And a background check. And fingerprints taken. Big Brother is watching? Or maybe? Welcome to City Seventeen? Yeah. It's getting bad. -- David -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Tim wrote: Bill Crawford: Ought to be possible for people to visit companies' offices and sign their keys, and add them to the "web of trust" as per PGP / GPG keys. No idea if / how that should be done, in practice, though. m: Difficult at best, who wants to trust a faceless corporation? Not to be cynical but you might trust the receptionist but what about the IT dept? Are they competent?... I wonder if we were to contact our bank's tech support and ask if we could confirm their SSL certificate with them (e.g. read the fingerprint info over the phone), how many of them could actually do it? Or even understand. Your going to tempt me to try that and I have no doubt I'd have to start keeping my money under the matress after I got off the phone. ignorance is bliss, ignorance is bliss, ignorance is bliss. r...@max's_brain#rm -rf /var/log/messages r...@max's_brain#shutdown -r now huh? did you say something? -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Bill Crawford: >> Ought to be possible for people to visit companies' offices and sign their >> keys, >> and add them to the "web of trust" as per PGP / GPG keys. No idea if / how >> that >> should be done, in practice, though. m: > Difficult at best, who wants to trust a faceless corporation? Not to be > cynical but you might trust the receptionist but what about the IT dept? > Are they competent?... I wonder if we were to contact our bank's tech support and ask if we could confirm their SSL certificate with them (e.g. read the fingerprint info over the phone), how many of them could actually do it? Or even understand. -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
David wrote: On 4/1/2009 10:13 AM, Craig White wrote: On Wed, 2009-04-01 at 14:49 +0100, Alan Cox wrote: I use a state issued picture driver license, a birth certificate, and a US Passport. Which doesn't prove you are not one of identical twins ;) which is an important distinction if you happen to be the paranoid schizophrenic twin... True. But I also have concealed carry permits in four different states and they take fingerprints and run background checks. :-P Maybe I should have said that my mother assured me that I am me? Only the paranoid I guess. When I was in the military I held a fairly high security clearance. The kind of thing where they check your background back before you were born. I worked with folks with the same clearance levels or even higher. Curiously enough, despite having such deep background checks we still had people stealing from the coffee fund. There is *no* check that can certify you are a truly honest, ethical and reliable person... only time and observation will tell others if you can really be trusted, everything else is a wild ass guess. I know I'm a trustworthy person, but no one who doesn't know me well can ever be sure of that... no matter who else says so (hell *they* could be lying) 8^\ ...who ya gonna trust? -- Steve Lindemann __ Network Administrator //\\ ASCII Ribbon Campaign Marmot Library Network, Inc. \\// against HTML/RTF email, http://www.marmot.org //\\ vCards & M$ attachments +1.970.242.3331 x116 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Wednesday 01 April 2009 17:08:46 m wrote: > Anyone want to join my support group for the > insanely pedantic. *Does* anyone want to ... ? Count me in ;o) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
David wrote: On 4/1/2009 10:13 AM, Craig White wrote: On Wed, 2009-04-01 at 14:49 +0100, Alan Cox wrote: I use a state issued picture driver license, a birth certificate, and a US Passport. Which doesn't prove you are not one of identical twins ;) which is an important distinction if you happen to be the paranoid schizophrenic twin... http://www.amazon.com/Know-This-Much-True-Novel/dp/0061469084/ref=pd_bbs_sr_1 Great book Craig ps - then again, the fingerprints would likely be identical True. But I also have concealed carry permits in four different states and they take fingerprints and run background checks. :-P Maybe I should have said that my mother assured me that I am me? Only the paranoid I guess. Yes its a paranoid world. My question though, after reading this thread, is of what real use is birth certificate? I asked at the DMV once, naturally the response was a somewhat less than spectacular "proves you were born." So the fact that I live and breathe is not proof enough that someone gave birth to me? Perhaps it should be called an identity certificate instead. Anyone want to join my support group for the insanely pedantic. -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On 4/1/2009 10:13 AM, Craig White wrote: > On Wed, 2009-04-01 at 14:49 +0100, Alan Cox wrote: >>> I use a state issued picture driver license, a birth certificate, and a US >>> Passport. >> Which doesn't prove you are not one of identical twins ;) > > which is an important distinction if you happen to be the paranoid > schizophrenic twin... > http://www.amazon.com/Know-This-Much-True-Novel/dp/0061469084/ref=pd_bbs_sr_1 > Great book > Craig > ps - then again, the fingerprints would likely be identical True. But I also have concealed carry permits in four different states and they take fingerprints and run background checks. :-P Maybe I should have said that my mother assured me that I am me? Only the paranoid I guess. -- David -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Wed, 2009-04-01 at 10:37 -0400, m wrote: > According to the info I have found, twins of any sort will not have > identical fingerprints, though their DNA might be virtually > indistinguishable if they are identical twins. Many many years ago I remember finding out that identical twins are rarely ever *identical*, but it was possible. I'm sure I've read of at least one instance where fingerprints were, too. Which identity documents have your finger prints on? It's years since I've seen someone's passport, but they only had photos on them. Likewise with our driver's licences. I wonder if they'll start fingerprinting babies, in the modern terrorist paranoid era? (Still, though, such people don't seem to care if you know who they are.) Apparently we used to have DNA records of every baby in Australia, thanks to Guthrie test cards (pin-prick to the heel, with the blood drop pressed against a card) just being casually filed away in the back of some cupboard. Then there was a flap on as someone realised this, and the potential for using them for something more than they were ever intended for, and I recall reading that they were going to be destroyed. Ultimately, identifying someone doesn't really prove a great deal, unless you can also find out whether they're trustworthy or a con artist, as well as who they are. -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Tim: >> You need to know them more than just having met them before, you need >> to know what their attitude is to signing keys. Will they only sign >> keys with users that have credible ID? And could they spot fake ID? > David: > I use a state issued picture driver license, a birth certificate, and > a US Passport. Do you mean to identify yourself, and/or you insist on that before you'll sign someone else's key? But to be brutal, a birth certificate proves nothing, any thief could have stolen one. And which of us could pick a good faked driver's license or passport from a real one? Or would know whether someone's fraudulently obtained real ones? -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Craig White wrote: On Wed, 2009-04-01 at 10:37 -0400, m wrote: ps - then again, the fingerprints would likely be identical According to the info I have found, twins of any sort will not have identical fingerprints, though their DNA might be virtually indistinguishable if they are identical twins. I appreciate the opportunity to demonstrate how little I know about identical twins... ;-) Craig I appreciate your subtlety in reminding me to look that up because that particular mental post-it had been covered up long ago. Maybe I should write down on physical paper the things I need to look up...nah mental post-it notes are more fun, which reminds me... -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Wed, 2009-04-01 at 10:37 -0400, m wrote: > > ps - then again, the fingerprints would likely be identical > > > > > According to the info I have found, twins of any sort will not have > identical fingerprints, though their DNA might be virtually > indistinguishable if they are identical twins. I appreciate the opportunity to demonstrate how little I know about identical twins... ;-) Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Wednesday 01 April 2009 14:18:11 David wrote: > On 4/1/2009 8:56 AM, Tim wrote: > > On Wed, 2009-04-01 at 13:42 +0200, "Stanisław T. Findeisen" wrote: > >> Sure, you might not be sure how honest a particular person > >> is, or how accurate she is when it comes to key signing. But it > >> *might* be helpful to know that a key of someone else that you haven't > >> met in person has been signed by, say, 10 different people that you > >> did meet before > > > > You need to know them more than just having met them before, you need to > > know what their attitude is to signing keys. Will they only sign keys > > with users that have credible ID? And could they spot fake ID? > > I use a state issued picture driver license, a birth certificate, and a US > Passport. > It is generally accepted that meeing someone, alone, is not sufficient identification. Before you sign anyone's key, or let them sign yours, you should always see this kind of official documentation. Anyone considering getting keys signed should read http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Craig White wrote: On Wed, 2009-04-01 at 14:49 +0100, Alan Cox wrote: I use a state issued picture driver license, a birth certificate, and a US Passport. Which doesn't prove you are not one of identical twins ;) which is an important distinction if you happen to be the paranoid schizophrenic twin... http://www.amazon.com/Know-This-Much-True-Novel/dp/0061469084/ref=pd_bbs_sr_1 Great book Craig ps - then again, the fingerprints would likely be identical According to the info I have found, twins of any sort will not have identical fingerprints, though their DNA might be virtually indistinguishable if they are identical twins. -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Wed, 2009-04-01 at 14:49 +0100, Alan Cox wrote: > > I use a state issued picture driver license, a birth certificate, and a US > > Passport. > > Which doesn't prove you are not one of identical twins ;) which is an important distinction if you happen to be the paranoid schizophrenic twin... http://www.amazon.com/Know-This-Much-True-Novel/dp/0061469084/ref=pd_bbs_sr_1 Great book Craig ps - then again, the fingerprints would likely be identical -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
> I use a state issued picture driver license, a birth certificate, and a US > Passport. Which doesn't prove you are not one of identical twins ;) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On 4/1/2009 8:56 AM, Tim wrote: > On Wed, 2009-04-01 at 13:42 +0200, "Stanisław T. Findeisen" wrote: >> Sure, you might not be sure how honest a particular person >> is, or how accurate she is when it comes to key signing. But it >> *might* be helpful to know that a key of someone else that you haven't >> met in person has been signed by, say, 10 different people that you >> did meet before > You need to know them more than just having met them before, you need to > know what their attitude is to signing keys. Will they only sign keys > with users that have credible ID? And could they spot fake ID? I use a state issued picture driver license, a birth certificate, and a US Passport. -- David -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Wed, 2009-04-01 at 13:42 +0200, "Stanisław T. Findeisen" wrote: > Sure, you might not be sure how honest a particular person > is, or how accurate she is when it comes to key signing. But it > *might* be helpful to know that a key of someone else that you haven't > met in person has been signed by, say, 10 different people that you > did meet before You need to know them more than just having met them before, you need to know what their attitude is to signing keys. Will they only sign keys with users that have credible ID? And could they spot fake ID? -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Todd Zullinger wrote: $ gpg --list-options 'show-policy-urls' --list-sigs silfreed pub 1024D/ED00D312 2000-06-21 uid Douglas E. Warner sig 3ED00D312 2005-11-02 Douglas E. Warner sig 2 PBEAF0CE3 2006-08-07 Todd M. Zullinger Signature policy: http://www.pobox.com/~tmz/pgp/cert-policy.asc [...] I don't intend for that to make anyone trust my signatures unless they know a bit about me, of course. But I do try to be a good example and let those who may trust me know just what I mean when they see a signature from me on a key. Both notations and cert policy URLS may contain some data that is unique to a particular signature. Strings such as %k, %K, and %f will be expanded to the short key id, long key id, and fingerprint of the key being signed, respectively. That way, you could make the notation or policy URL point to a page for each signature. There you could include such details as where you met, what information you exchanged, etc. Great done, I am impressed, I wasn't even aware that such things exist! So, summarizing all this (see my the previous post from today) I'd say that what we need is: * an OpenPGP web of trust "CA" (operated by RedHat/Fedora/whatever, sorry I'm not really aware of who is who here) with its public/private keypair (CAK) * an official and strictly-followed policy for signing people keys with CAK (trust level 0 sigs) * an official and strictly-followed policy for signing people keys with CAK (trust level 1 sigs) * a "marketing strategy" or something to tell people to trust CAK with the level of 2 * some "goodies" like list of keys signed by CAK published on the web, or maybe photos of all such meetings in person (depending on the policy); surely photos, names and bios of all trust-level-1 sigs holders. :-) This way we achieve the goals of the revolution; we promote: * GNU * free software * security and authenticity * bazaar model * Fedora * OpenPGP web of trust, which is better than PKI. STF === http://eisenbits.homelinux.net/~stf/ OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062 === signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
m wrote:
Difficult at best, who wants to trust a faceless corporation? Not to be
cynical but you might trust the receptionist but what about the IT dept?
Are they competent? Money is no guarantee of anything, in fact the
larger the company the more likely they will let something slip through
the cracks. Companies all say they are secure and trustworthy, but who
is hiring these people? Are their background checks? Should there be?
Probably they outsource that and then you have to see if you can trust
that company too. The main problem is that so much gets outsourced so
dept head A doesn't have to worry about it but who is checking that this
other company is doing it right? Its an endless cycle of paranoia.
Exactly. Trusting "a corporation" boils down to trusting its owners, and
owners are those who hold the shares. In case you don't know how
ownership of a public company work, google for "stock exchange" or so.
:-) And understand that companies can hold the shares of other
companies, too. :-)
Anyway. Show me one positive thing PKI has that OpenPGP Web of Trust is
missing. From this thread it looks to me that few of us are aware of
"trust signature level" notion. See GnuPG manual ("tsign") or here:
http://www.google.com/search?hl=pl&q=gpg+tsign+site%3Awww.gnupg.org&btnG=Szukaj&lr=
.
It looks to me that using trust signature levels (not just 2 or 3, like
in X.509, but 10+) one can build his own key hierarchy. Here is an
example: http://www.gswot.org/ .
Also Wikipedia (http://en.wikipedia.org/wiki/Web_of_trust) states that
there are sites allowing you to find OpenPGP Web of Trust members near
you (geographically), so that you could meet in person and sign each
other's key. Sure, you might not be sure how honest a particular person
is, or how accurate she is when it comes to key signing. But it *might*
be helpful to know that a key of someone else that you haven't met in
person has been signed by, say, 10 different people that you did meet
before (see http://www.gnupg.org/gph/en/manual.html#AEN385).
So. Summarizing all this I would say that OpenPGP Web of Trust is (much)
more flexible than PKI, and when it comes to implementation, it looks
that with OpenPGP you are the one to decide whom to trust
(http://www.gnupg.org/gph/en/manual.html#AEN385) (which is not the case
with PKI, where a single certificate chain is sufficient for the trust
to be assigned locally).
The revolution strategy will follow in my reply to Todd Zullinger's post
(03/31/2009 01:10 AM).
STF
===
http://eisenbits.homelinux.net/~stf/
OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062
===
signature.asc
Description: OpenPGP digital signature
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tue, 2009-03-31 at 10:42 -0500, Bruno Wolff III wrote: > On Tue, Mar 31, 2009 at 12:27:08 +0100, > Bill Crawford wrote: > > On Monday 30 March 2009 20:12:45 Bruno Wolff III wrote: > > > > > CAs that charge extra in order to sign certs that have flag set to > > > indicate that they can sign other certs in subdomains should be boycotted. > > > > This is actually a rotten idea. If you need internal testing systems, or to > > dynamically create them as needed, or you want to run shared hosting using > > SSL > > (as we do for internal testing, since our application requires SSL enabled) > > then being able to sign your own sub-domains and / or have a wildcard are > > pretty much essential. > > I was complaining about ripping people off by charging exhorbitant amounts > for signing keys, not that people / orgs shouldn't be able to get them. > Verisign does that to protect revenue, not for security reasons. why does a dog lick themselves between the legs? because they can. Everyone is free to choose to purchase certificates from any well known certificate authority and it doesn't have to be Verisign. I don't know that they are exorbitant, I know that unless I am selling something to the public and don't want to scare the bejeebus out of them by offering a self-signed certificate, I'm not buying. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Kevin Kofler wrote: m wrote: I would point you to Firefox for instance, which by some(not I) is reported to be a very insecure browser. There was an article, a while back, that pointed out that it had more software vulnerabilities than other browsers in I think it was 06 or 07. On the surface the article seemed legit but proprietary browsers do not disclose all insecurities found, only the publicly reported ones, where as Firefox, this is my understanding please correct if wrong, reports all security issues including the ones found in internal audits. So yes Firefox had more reported problems but only because they disclose all of them. So who can I trust? Just me it seems and the few friends that I have, signed keys ,as pointed out by others, is no guarantee that things were or are done properly. That for me anyway is what the issue of trust comes down too, consistency, its based on that, that I decide whether I can trust them or just trust them to be themselves. Konqueror is not a proprietary browser, and I trust KDE to disclose all the vulnerabilities they fix, yet it has a lot fewer security issues than Firefox. Kevin Kofler Wasn't trying to slight Konqueror , i should have been more clear, the comparison in the article was of course trying to paint IE as the poster boy for security(Safari was mentioned also and I think Opera but I can't stumble across the article again for the life of me) and implied that using FF was dangerous in the extreme. A notion I found laughable but if your completely uninformed you just might get taken in by the hype. As for Konqueror vs FF, well I haven't used Konqueror in quite some time now so I can't make an honest comparison. Might be time to fix that... -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tuesday 31 March 2009 16:03:14 Ed Greshko wrote: > Bill Crawford wrote: > > On Tuesday 31 March 2009 15:01:42 Anne Wilson wrote: > > ... > > > >> Anne > > > > By the way, your mails are showing up as having BAD signature in kmail > > here (the key is available). Is your mailer munging things, or is it the > > list servers? > > It only shows up bad when the emails are sent as multipart/alternative > and the html gets wrapped after signing. Dammit you're right. Something has switched html on again. I've lost count of the times this has happened. Yesterday's was fine, today's isn't (hopefully sorted now) and I can't see anything on the update list for the last 24 hours to explain it. Sorry folks Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
m wrote: > I would point you to Firefox for instance, which by some(not I) is > reported to be a very insecure browser. There was an article, a while > back, that pointed out that it had more software vulnerabilities than > other browsers in I think it was 06 or 07. On the surface the article > seemed legit but proprietary browsers do not disclose all insecurities > found, only the publicly reported ones, where as Firefox, this is my > understanding please correct if wrong, reports all security issues > including the ones found in internal audits. So yes Firefox had more > reported problems but only because they disclose all of them. So who can > I trust? Just me it seems and the few friends that I have, signed keys > ,as pointed out by others, is no guarantee that things were or are done > properly. That for me anyway is what the issue of trust comes down too, > consistency, its based on that, that I decide whether I can trust them > or just trust them to be themselves. Konqueror is not a proprietary browser, and I trust KDE to disclose all the vulnerabilities they fix, yet it has a lot fewer security issues than Firefox. Kevin Kofler -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Bruno Wolff III wrote: On Tue, Mar 31, 2009 at 11:00:34 -0400, m wrote: Difficult at best, who wants to trust a faceless corporation? Not to be cynical but you might trust the receptionist but what about the IT dept? Are they competent? Money is no guarantee of anything, in fact the larger the company the more likely they will let something slip through the cracks. Companies all say they are secure and trustworthy, but who is hiring these people? Are their background checks? Should there be? Probably they outsource that and then you have to see if you can trust that company too. The main problem is that so much gets outsourced so dept head A doesn't have to worry about it but who is checking that this other company is doing it right? Its an endless cycle of paranoia. You are only trusting them to provide with the key for their domain and possibly subdomains. I was referring to the issue of trust in general. You aren't making them a CA for any and all domains. Yes I understand that but you could apply the same to Versign, which others have pointed out gave out a Microsoft cert to someone who wasn't. So then what? They should at least be hiring less gullible people or have a better process for issuing certs, i am under no illusions that just because its the only time i heard about it that its the only time it happened. I would point you to Firefox for instance, which by some(not I) is reported to be a very insecure browser. There was an article, a while back, that pointed out that it had more software vulnerabilities than other browsers in I think it was 06 or 07. On the surface the article seemed legit but proprietary browsers do not disclose all insecurities found, only the publicly reported ones, where as Firefox, this is my understanding please correct if wrong, reports all security issues including the ones found in internal audits. So yes Firefox had more reported problems but only because they disclose all of them. So who can I trust? Just me it seems and the few friends that I have, signed keys ,as pointed out by others, is no guarantee that things were or are done properly. That for me anyway is what the issue of trust comes down too, consistency, its based on that, that I decide whether I can trust them or just trust them to be themselves. -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tue, Mar 31, 2009 at 11:00:34 -0400, m wrote: > Difficult at best, who wants to trust a faceless corporation? Not to be > cynical but you might trust the receptionist but what about the IT dept? > Are they competent? Money is no guarantee of anything, in fact the > larger the company the more likely they will let something slip through > the cracks. Companies all say they are secure and trustworthy, but who > is hiring these people? Are their background checks? Should there be? > Probably they outsource that and then you have to see if you can trust > that company too. The main problem is that so much gets outsourced so > dept head A doesn't have to worry about it but who is checking that this > other company is doing it right? Its an endless cycle of paranoia. You are only trusting them to provide with the key for their domain and possibly subdomains. You aren't making them a CA for any and all domains. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tue, Mar 31, 2009 at 12:27:08 +0100, Bill Crawford wrote: > On Monday 30 March 2009 20:12:45 Bruno Wolff III wrote: > > > CAs that charge extra in order to sign certs that have flag set to > > indicate that they can sign other certs in subdomains should be boycotted. > > This is actually a rotten idea. If you need internal testing systems, or to > dynamically create them as needed, or you want to run shared hosting using > SSL > (as we do for internal testing, since our application requires SSL enabled) > then being able to sign your own sub-domains and / or have a wildcard are > pretty much essential. I was complaining about ripping people off by charging exhorbitant amounts for signing keys, not that people / orgs shouldn't be able to get them. Verisign does that to protect revenue, not for security reasons. > > Sites with self signed certs that prevent passive snooping get treated as > > the same as going to a site without ssl and not triggering all sorts of > > inappropriate warnings that look scary and make people jump through hoops > > to bypass them. > > That's a separate issue; it's a pain, but if a "root" CA updates their keys > at > any point, older browsers / operating systems may well experience a period > of "messages popping up telling me they can't verify the certificate" ... The procedure would be (in a web of trust model) to sign the the new key with the old key before it expired so that people would normally see the new key and save it while the old key is still valid. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Bill Crawford wrote: > On Tuesday 31 March 2009 15:01:42 Anne Wilson wrote: > ... > >> Anne >> > > By the way, your mails are showing up as having BAD signature in kmail here > (the > key is available). Is your mailer munging things, or is it the list servers? > > It only shows up bad when the emails are sent as multipart/alternative and the html gets wrapped after signing. -- Are you mentally here at Pizza Hut?? mei-mei.gres...@greshko.com http://tw.youtube.com/watch?v=cCSz_koUhSg signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Bill Crawford wrote: On Monday 30 March 2009 20:12:45 Bruno Wolff III wrote: On Mon, Mar 30, 2009 at 13:46:02 -0400, Todd Denniston wrote: i.e., sure all the root CA's that the browser producers want to include can come in, but they should have trust DBs that allow each user to tick: * Never trust this key. (and by extension anything it has signed. Perhaps with a pop up indicating 'the sig is ok, according to bla, but bla is a known idiot.') * Marginal trust. (pop up something saying 'the sig is ok, according to bla, but you are uncomfortable with bla.') * Fully trust. (operate as CA's in web browsers since they started getting CA's.) And by default (as released by the browser producers) the keys should be set to either Never or Marginal. I'd rather see more of a web of trust type model. Right now you can only have one chain of certificates. So you can't have a cert signed by multiple roots. Ought to be possible for people to visit companies' offices and sign their keys, and add them to the "web of trust" as per PGP / GPG keys. No idea if / how that should be done, in practice, though. Difficult at best, who wants to trust a faceless corporation? Not to be cynical but you might trust the receptionist but what about the IT dept? Are they competent? Money is no guarantee of anything, in fact the larger the company the more likely they will let something slip through the cracks. Companies all say they are secure and trustworthy, but who is hiring these people? Are their background checks? Should there be? Probably they outsource that and then you have to see if you can trust that company too. The main problem is that so much gets outsourced so dept head A doesn't have to worry about it but who is checking that this other company is doing it right? Its an endless cycle of paranoia. -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tuesday 31 March 2009 15:01:42 Anne Wilson wrote: ... > Anne By the way, your mails are showing up as having BAD signature in kmail here (the key is available). Is your mailer munging things, or is it the list servers? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tuesday 31 March 2009 15:01:42 Anne Wilson wrote: > On Tuesday 31 March 2009 13:16:42 Tim wrote: > > On Tue, 2009-03-31 at 12:27 +0100, Bill Crawford wrote: > > > Ought to be possible for people to visit companies' offices and sign > > > their keys, and add them to the "web of trust" as per PGP / GPG keys. > > > No idea if / how that should be done, in practice, though. > > > > Actually, I'd like to be able to do something like with banking (go into > > the branch, and physically confirm keys used for banking). For the one > > or two people that I've used encrypted mail with, I exchanged keys in > > person. > > Bear in mind that the Public Key is intended to be just that - public. It > is useless to anyone else as only you have the Private Key that forms the > pair, so there is no problem at all about the public key being accessible. > It can *only* be used to compare against your signature. It cannot be used > in any attempt to pretend to be you. Yes, but the point is, without taking that verification step, you've no way of being confident that the key you see with name "X" on it actually belongs to the person you communicate with named "X". The steps he's outlining go a long way towards avoiding "man in the middle" attacks, because he won't be fooled by a key with the same name "X" on it, but different. Well, not if he checks the key fingerprint anyway :o) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tuesday 31 March 2009 13:16:42 Tim wrote: > On Tue, 2009-03-31 at 12:27 +0100, Bill Crawford wrote: > > Ought to be possible for people to visit companies' offices and sign > > their keys, and add them to the "web of trust" as per PGP / GPG keys. > > No idea if / how that should be done, in practice, though. > > Actually, I'd like to be able to do something like with banking (go into > the branch, and physically confirm keys used for banking). For the one > or two people that I've used encrypted mail with, I exchanged keys in > person. > Bear in mind that the Public Key is intended to be just that - public. It is useless to anyone else as only you have the Private Key that forms the pair, so there is no problem at all about the public key being accessible. It can *only* be used to compare against your signature. It cannot be used in any attempt to pretend to be you. Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tue, 2009-03-31 at 12:27 +0100, Bill Crawford wrote: > Ought to be possible for people to visit companies' offices and sign > their keys, and add them to the "web of trust" as per PGP / GPG keys. > No idea if / how that should be done, in practice, though. Actually, I'd like to be able to do something like with banking (go into the branch, and physically confirm keys used for banking). For the one or two people that I've used encrypted mail with, I exchanged keys in person. -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Monday 30 March 2009 20:12:45 Bruno Wolff III wrote: > On Mon, Mar 30, 2009 at 13:46:02 -0400, > > Todd Denniston wrote: > > i.e., sure all the root CA's that the browser producers want to include > > can come in, but they should have trust DBs that allow each user to tick: > > * Never trust this key. (and by extension anything it has signed. Perhaps > > with a pop up indicating 'the sig is ok, according to bla, but bla is a > > known idiot.') > > * Marginal trust. (pop up something saying 'the sig is ok, according to > > bla, but you are uncomfortable with bla.') > > * Fully trust. (operate as CA's in web browsers since they started > > getting CA's.) > > > > And by default (as released by the browser producers) the keys should be > > set to either Never or Marginal. > > I'd rather see more of a web of trust type model. Right now you can only > have one chain of certificates. So you can't have a cert signed by multiple > roots. Ought to be possible for people to visit companies' offices and sign their keys, and add them to the "web of trust" as per PGP / GPG keys. No idea if / how that should be done, in practice, though. > There is nothing keeping track of the cert you previously saw for a site > (unless you remove all of the CA certs) so that you get warned when it > changes. (At least if the new cert isn't signed by the old one.) That could, perhaps should, be done by the browser. Ultimately, DNSSEC needs to used everywhere, and the keys for a domain stored in the DNS alongside the host records (A, , CNAME). SSL keys, I mean, for services. That's the only way to do it (although it still doesn't prevent a domain being "hijacked" due to inattentive registrars allowing spurious transfers). > CAs that charge extra in order to sign certs that have flag set to > indicate that they can sign other certs in subdomains should be boycotted. This is actually a rotten idea. If you need internal testing systems, or to dynamically create them as needed, or you want to run shared hosting using SSL (as we do for internal testing, since our application requires SSL enabled) then being able to sign your own sub-domains and / or have a wildcard are pretty much essential. > Sites with self signed certs that prevent passive snooping get treated as > the same as going to a site without ssl and not triggering all sorts of > inappropriate warnings that look scary and make people jump through hoops > to bypass them. That's a separate issue; it's a pain, but if a "root" CA updates their keys at any point, older browsers / operating systems may well experience a period of "messages popping up telling me they can't verify the certificate" ... -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, 2009-03-30 at 23:04 +0200, Kevin Kofler wrote: > HTTPS should displace HTTP the same way SSH displaced telnet. Most > people think people still using telnet as a remote shell are crazy > (and they're probably right), yet they'll happily use the just as > insecure unencrypted HTTP. Likewise for mail logons. Just about everything sends username and password in the clear. That's really bad news for security on some networks, e.g. cable broadband. -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, 2009-03-30 at 20:14 -0500, Mikkel L. Ellertson wrote: > I guess I have a problem - I only meat people online, so nobody is > going to be able to sign my key. All they have to go by is my signed > messages. I have a related sort of problem: If I were to meet someone in person, I have no real identification that I could offer to prove who I am. I've never had a driver's license, passport, or anything else that gets a proper vetting before being issued to me. Other things that could be used to sort of identify me aren't really valid. I browbeat the bank into letting me open an account, because I had nothing that categorically proved who I am. They gave in, as I'm sure plenty of other places that do crap vetting will do. During the process I gave them a bit of a berating about other things they said they'll accept to identify me (a handful of bills addressed to the same address, a birth certificate, etc.), all of which anybody could steal from almost any house. -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Todd Zullinger wrote: > Anne Wilson wrote: >> Exactly. In this case there were all the appropriate checks, but >> all you can see is a list of names, and I suppose you can check that >> those names are ones you have reason to trust, but that's all, and >> it's a bit vague. > > Doesn't it go without saying that each person should only trust people > that they, well, trust? :) > Well, I guess I have a problem - I only meat people online, so nobody is going to be able to sign my key. All they have to go by is my signed messages. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Anne Wilson wrote: > Exactly. In this case there were all the appropriate checks, but > all you can see is a list of names, and I suppose you can check that > those names are ones you have reason to trust, but that's all, and > it's a bit vague. Doesn't it go without saying that each person should only trust people that they, well, trust? :) > Absolutely. It would help if the action of signing included some > information about the act, such as whether it was carried out at a > LUG, Conference, or some other organisation, so you could come to > some decision about its reliability, but there is no such thing. Actually, there is a way to make such notes (though that still won't mean much to anyone that doesn't already trust you to make decent signatures). You can include notations when you sign/certify a key. You can also include a certification policy URL. These can be displayed in gpg with the show-notations and show-policy-urls list options. For example, on keys I've signed in the past few years, I added a policy URL. The results look a bit like this: $ gpg --list-options 'show-policy-urls' --list-sigs silfreed pub 1024D/ED00D312 2000-06-21 uid Douglas E. Warner sig 3ED00D312 2005-11-02 Douglas E. Warner sig 2 PBEAF0CE3 2006-08-07 Todd M. Zullinger Signature policy: http://www.pobox.com/~tmz/pgp/cert-policy.asc [...] I don't intend for that to make anyone trust my signatures unless they know a bit about me, of course. But I do try to be a good example and let those who may trust me know just what I mean when they see a signature from me on a key. Both notations and cert policy URLS may contain some data that is unique to a particular signature. Strings such as %k, %K, and %f will be expanded to the short key id, long key id, and fingerprint of the key being signed, respectively. That way, you could make the notation or policy URL point to a page for each signature. There you could include such details as where you met, what information you exchanged, etc. -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Hard work never killed anybody, but why take a chance? -- Charlie McCarthy pgpw7bkVBsBzG.pgp Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Bruno Wolff III wrote: > Sites with self signed certs that prevent passive snooping get treated as > the same as going to a site without ssl and not triggering all sorts of > inappropriate warnings that look scary and make people jump through hoops > to bypass them. +1, this really needs fixing. It leads to several sites actually downgrading security (not using encryption at all) just to prevent those warnings. We'd see much wider adoption of HTTPS if self-signed certificates weren't treated any worse than plain unencrypted (and totally insecure) HTTP. HTTPS should displace HTTP the same way SSH displaced telnet. Most people think people still using telnet as a remote shell are crazy (and they're probably right), yet they'll happily use the just as insecure unencrypted HTTP. Kevin Kofler -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, Mar 30, 2009 at 13:46:02 -0400, Todd Denniston wrote: > > i.e., sure all the root CA's that the browser producers want to include > can come in, but they should have trust DBs that allow each user to tick: > * Never trust this key. (and by extension anything it has signed. Perhaps > with a pop up indicating 'the sig is ok, according to bla, but bla is a > known idiot.') > * Marginal trust. (pop up something saying 'the sig is ok, according to > bla, but you are uncomfortable with bla.') > * Fully trust. (operate as CA's in web browsers since they started getting > CA's.) > > And by default (as released by the browser producers) the keys should be > set to either Never or Marginal. I'd rather see more of a web of trust type model. Right now you can only have one chain of certificates. So you can't have a cert signed by multiple roots. There is nothing keeping track of the cert you previously saw for a site (unless you remove all of the CA certs) so that you get warned when it changes. (At least if the new cert isn't signed by the old one.) CAs that charge extra in order to sign certs that have flag set to indicate that they can sign other certs in subdomains should be boycotted. Sites with self signed certs that prevent passive snooping get treated as the same as going to a site without ssl and not triggering all sorts of inappropriate warnings that look scary and make people jump through hoops to bypass them. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Tim wrote, On 03/30/2009 12:51 PM: That sort of decision would be based on popularity (a problem you'd like to see overcome, and could be overcome, given enough of a push, but whether we have the numbers is another matter), and whether the certificate authority is effective enough to support (i.e. why add any root certificate that proves very little). Then there's trying to convince organisations to use less trust worthy root certificates. Who wants their service to be flagged by web browsers as "encrypted but a bit risky"? It's perceptual, and ignoring the fact that existing, apparently better certificates, are currently used by some services that don't prove who they are any better than the lesser known root certificates. But that's the point of certificates - how things *look* to the casual observer. It is too bad we can't (as currently implemented) take a slightly less brutal tact than Mr. Wolff has suggested. i.e., sure all the root CA's that the browser producers want to include can come in, but they should have trust DBs that allow each user to tick: * Never trust this key. (and by extension anything it has signed. Perhaps with a pop up indicating 'the sig is ok, according to bla, but bla is a known idiot.') * Marginal trust. (pop up something saying 'the sig is ok, according to bla, but you are uncomfortable with bla.') * Fully trust. (operate as CA's in web browsers since they started getting CA's.) And by default (as released by the browser producers) the keys should be set to either Never or Marginal. -- Todd Denniston Crane Division, Naval Surface Warfare Center (NSWC Crane) Harnessing the Power of Technology for the Warfighter -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tue, Mar 31, 2009 at 03:21:12 +1030, Tim wrote: > > Just how many root certificates are software builders willing to add? As many as contribute funding. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, Mar 30, 2009 at 09:50:20 -0700, Craig White wrote: > I'm not sure that I agree with you at all but your being vague. If I > assume that you are talking about the way Firefox handles untrusted > certificates with their alert and requires you to 'get the certificate' > and accept & store or merely temporarily accept, then I disagree...I > very much like the way they are handling untrusted certificates. By > contrast, the way most portable devices such as iPhones, Blackberries, > etc. handle untrusted certificates glosses over these details to the > point of scary. Because you have to jump through hoops if all you want is protection from passiv eavesdropping and not assurance that I am connected to the correct web site. (And even the roots CAs don't provide that. They provide assurance about the connection matching the domain name, which isn't really the same thing.) > I'm not sure at all what you are accomplishing by removing the normally > trusted root certificates. If I return to a site I notice whether or not the certificate has changed. The UI still sucks for this, since it wasn't designed to be used this way. I have no special trust relationship with any of the organizations that have their certs included in firefox, and they don't certify what I really want to know, so they just get in the way. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, 2009-03-30 at 11:42 -0500, Bruno Wolff III wrote: > On Mon, Mar 30, 2009 at 09:18:45 -0700, > Craig White wrote: > > > > I agree that you are discussing the present day practical limitations > > but the concept of an open certificate authority would seem to defeat > > most, if not all of the problems of a corporate certificate authority > > such as Verisign or Thawte, etc. It would seem that those who harbor > > those concerns should join openca.org, help it reach critical mass, help > > it get root certificates installed in browsers by default, etc. > > That isn't the real issue. I am not going to trust OpenCA any more than I > trust Versign or Thawte now. (i.e. if they have their certs in by default, > it just makes more certs for me to remove.) > What really needs to happen is a more sensible way of handling ssl > connections. > What Firefox currently does is rediculous. I'm not sure that I agree with you at all but your being vague. If I assume that you are talking about the way Firefox handles untrusted certificates with their alert and requires you to 'get the certificate' and accept & store or merely temporarily accept, then I disagree...I very much like the way they are handling untrusted certificates. By contrast, the way most portable devices such as iPhones, Blackberries, etc. handle untrusted certificates glosses over these details to the point of scary. I'm not sure at all what you are accomplishing by removing the normally trusted root certificates. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Craig White: >>> http://www.openca.org/ Tim: >> Though that leaves you with a few problems: >> >> Few clients recognise them as an authority ... (and) ... not so >> trustworthy trusting Craig White: > I agree that you are discussing the present day practical limitations > but the concept of an open certificate authority would seem to defeat > most, if not all of the problems of a corporate certificate authority > such as Verisign or Thawte, etc. It would seem that those who harbor > those concerns should join openca.org, help it reach critical mass, help > it get root certificates installed in browsers by default, etc. I agree it would be nice to bring in something better than some of the existing systems, but I see two big problems in getting yet another root certificate adopted: Just how many root certificates are software builders willing to add? If they feel the list is getting too big (I'm sure there must be lots of small certificate authorities, or organisations that want to be one), they may settle for the *just* ones they feel are most important. That sort of decision would be based on popularity (a problem you'd like to see overcome, and could be overcome, given enough of a push, but whether we have the numbers is another matter), and whether the certificate authority is effective enough to support (i.e. why add any root certificate that proves very little). Then there's trying to convince organisations to use less trust worthy root certificates. Who wants their service to be flagged by web browsers as "encrypted but a bit risky"? It's perceptual, and ignoring the fact that existing, apparently better certificates, are currently used by some services that don't prove who they are any better than the lesser known root certificates. But that's the point of certificates - how things *look* to the casual observer. -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, Mar 30, 2009 at 09:18:45 -0700, Craig White wrote: > > I agree that you are discussing the present day practical limitations > but the concept of an open certificate authority would seem to defeat > most, if not all of the problems of a corporate certificate authority > such as Verisign or Thawte, etc. It would seem that those who harbor > those concerns should join openca.org, help it reach critical mass, help > it get root certificates installed in browsers by default, etc. That isn't the real issue. I am not going to trust OpenCA any more than I trust Versign or Thawte now. (i.e. if they have their certs in by default, it just makes more certs for me to remove.) What really needs to happen is a more sensible way of handling ssl connections. What Firefox currently does is rediculous. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tue, 2009-03-31 at 02:22 +1030, Tim wrote: > On Mon, 2009-03-30 at 08:24 -0700, Craig White wrote: > > http://www.openca.org/ > > Though that leaves you with a few problems: > > Few clients recognise them as an authority. If they want to use them, > users have to figure out how to add their root certificate (if they > can). And that's not just *you*, but the person you want to converse > with. > > And even then, that leaves ordinary users with not so trustworthy > trusting (certificates issued without much vetting, and there's users > who have no way to prove who they really are to get a really good > certificate), and users just unthinkingly okaying not so trustable > certificates. I agree that you are discussing the present day practical limitations but the concept of an open certificate authority would seem to defeat most, if not all of the problems of a corporate certificate authority such as Verisign or Thawte, etc. It would seem that those who harbor those concerns should join openca.org, help it reach critical mass, help it get root certificates installed in browsers by default, etc. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, 2009-03-30 at 08:24 -0700, Craig White wrote: > http://www.openca.org/ Though that leaves you with a few problems: Few clients recognise them as an authority. If they want to use them, users have to figure out how to add their root certificate (if they can). And that's not just *you*, but the person you want to converse with. And even then, that leaves ordinary users with not so trustworthy trusting (certificates issued without much vetting, and there's users who have no way to prove who they really are to get a really good certificate), and users just unthinkingly okaying not so trustable certificates. -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, Mar 30, 2009 at 08:55:52 -0500, Aaron Konstam wrote: > What is wrong with Verisign? Lot's of things. They did spin off some of their evil when they made Network Solutions a separate entity again, but I am sure there is still plenty of evil left behind. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tue, 2009-03-31 at 00:48 +1030, Tim wrote: > On Mon, 2009-03-30 at 08:55 -0500, Aaron Konstam wrote: > > What is wrong with Verisign? > > Is that a loaded question, or what? > > Some have no kind words for the company. Here's a short bit about that: > http://en.wikipedia.org/wiki/VeriSign#Controversies > > Leaving that aside, there's the issues of: > > Cost of getting a genuinely vetted certificate (there's cheap badly > tested certification that just sees if you respond to an email address, > and expensive better vetting that requires more sane checks to see if > you're who you claim to be before being certified). > > Technical support for using certificates in whatever clients are > involved (your client, plus whomever you communicate with). Of course, > PGP has that issue, too. http://www.openca.org/ Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Tue, 31 Mar 2009 00:48:01 +1030 Tim wrote: > On Mon, 2009-03-30 at 08:55 -0500, Aaron Konstam wrote: > > What is wrong with Verisign? > > Is that a loaded question, or what? Directly on point, someone persuaded Verisign to issue genuine Microsoft Corporation keys to them in 2001. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, 2009-03-30 at 08:55 -0500, Aaron Konstam wrote: > What is wrong with Verisign? Is that a loaded question, or what? Some have no kind words for the company. Here's a short bit about that: http://en.wikipedia.org/wiki/VeriSign#Controversies Leaving that aside, there's the issues of: Cost of getting a genuinely vetted certificate (there's cheap badly tested certification that just sees if you respond to an email address, and expensive better vetting that requires more sane checks to see if you're who you claim to be before being certified). Technical support for using certificates in whatever clients are involved (your client, plus whomever you communicate with). Of course, PGP has that issue, too. -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, 2009-03-30 at 22:17 +1030, Tim wrote: > On Mon, 2009-03-30 at 11:23 +0100, Anne Wilson wrote: > > If you examine my key you will see that it is signed by a number of > > people who have properly verified that I am who I say I am. This is > > essential for the web of trust to work, but frankly it is not > > understood by many people, and I've seen conversations where people > > will sign anyone's key. The whole web of trust falls apart when this > > happens. > > Looking at your key, using the seahorse program, I can see nothing that > gives me any indication that the signers have checked anything, only a > list of names of who the signers are. Not very helpful... You'd have > to use something else to see certification levels, e.g. command line > tools. Of course the indicator will only be that person X *says* > they've checked you out. There's nothing to enforce them being > truthful. > > As you say, some will sign anything willy nilly. The web of trust is > really only useful with people that you actually know. You can't make > any assumptions just because a key is counter-signed. A third party's > referral is useless. The only third party that you could trust would be > some service that you know refuses to sign keys without adequate > verification, assuming that there is one, and that you know of their > reputation. What is wrong with Verisign? -- === Freedom begins when you tell Mrs. Grundy to go fly a kite. === Aaron Konstam telephone: (210) 656-0355 e-mail: akons...@sbcglobal.net -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Monday 30 March 2009 12:47:49 Tim wrote: > On Mon, 2009-03-30 at 11:23 +0100, Anne Wilson wrote: > > If you examine my key you will see that it is signed by a number of > > people who have properly verified that I am who I say I am. This is > > essential for the web of trust to work, but frankly it is not > > understood by many people, and I've seen conversations where people > > will sign anyone's key. The whole web of trust falls apart when this > > happens. > > Looking at your key, using the seahorse program, I can see nothing that > gives me any indication that the signers have checked anything, only a > list of names of who the signers are. Not very helpful... You'd have > to use something else to see certification levels, e.g. command line > tools. Of course the indicator will only be that person X *says* > they've checked you out. There's nothing to enforce them being > truthful. > Exactly. In this case there were all the appropriate checks, but all you can see is a list of names, and I suppose you can check that those names are ones you have reason to trust, but that's all, and it's a bit vague. The person who signed the key had to produce their own key to sign it, and that key will also have signatures of people that have checked his identity, but it does depend entirely on the web of trust being respected, carried out to the letter. Which was my point. > As you say, some will sign anything willy nilly. The web of trust is > really only useful with people that you actually know. You can't make > any assumptions just because a key is counter-signed. A third party's > referral is useless. The only third party that you could trust would be > some service that you know refuses to sign keys without adequate > verification, assuming that there is one, and that you know of their > reputation. > Absolutely. It would help if the action of signing included some information about the act, such as whether it was carried out at a LUG, Conference, or some other organisation, so you could come to some decision about its reliability, but there is no such thing. Consequently I am advocating, as you are, careful thought about how much credence to put on gpg- (or pgp-) signing. Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Mon, 2009-03-30 at 11:23 +0100, Anne Wilson wrote: > If you examine my key you will see that it is signed by a number of > people who have properly verified that I am who I say I am. This is > essential for the web of trust to work, but frankly it is not > understood by many people, and I've seen conversations where people > will sign anyone's key. The whole web of trust falls apart when this > happens. Looking at your key, using the seahorse program, I can see nothing that gives me any indication that the signers have checked anything, only a list of names of who the signers are. Not very helpful... You'd have to use something else to see certification levels, e.g. command line tools. Of course the indicator will only be that person X *says* they've checked you out. There's nothing to enforce them being truthful. As you say, some will sign anything willy nilly. The web of trust is really only useful with people that you actually know. You can't make any assumptions just because a key is counter-signed. A third party's referral is useless. The only third party that you could trust would be some service that you know refuses to sign keys without adequate verification, assuming that there is one, and that you know of their reputation. -- [...@localhost ~]$ uname -r 2.6.27.19-78.2.30.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
On Monday 30 March 2009 08:28:12 Stanisław T. Findeisen wrote: > Mikkel L. Ellertson wrote: > > Let me see - The Gnupg package is included with Fedora. RPMs are > > signed with a GPG key - each version has its own key. The extra > > repositories have their own keys. When their was a possibility that > > the keys had been compromised, new keys were issued. It is not like > > Fedora isn't already using gpg... > > > > About the only change I can see would be signing the files needed to > > do a network install... > > I was talking about the community more, than about the repos. Is GnuPG > widely used in the community? How about the people from M$ world? > > Again: promoting GnuPG would promote: > * GNU > * free software > * security and authenticity > * bazaar model > * mutual trust > all at the same time. > > Maybe that would be better than to sit and wait for Microsoft/whatever > to sell everybody his X.509 Wide use of encryption/digital > signatures will come sooner or later, I guess. > If you examine my key you will see that it is signed by a number of people who have properly verified that I am who I say I am. This is essential for the web of trust to work, but frankly it is not understood by many people, and I've seen conversations where people will sign anyone's key. The whole web of trust falls apart when this happens. Since the criteria for correct verification is very precise, I can't see most people getting their keys signed, and without that, the point of using a key is very limited. Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Mikkel L. Ellertson wrote: Let me see - The Gnupg package is included with Fedora. RPMs are signed with a GPG key - each version has its own key. The extra repositories have their own keys. When their was a possibility that the keys had been compromised, new keys were issued. It is not like Fedora isn't already using gpg... About the only change I can see would be signing the files needed to do a network install... I was talking about the community more, than about the repos. Is GnuPG widely used in the community? How about the people from M$ world? Again: promoting GnuPG would promote: * GNU * free software * security and authenticity * bazaar model * mutual trust all at the same time. Maybe that would be better than to sit and wait for Microsoft/whatever to sell everybody his X.509 Wide use of encryption/digital signatures will come sooner or later, I guess. STF === http://eisenbits.homelinux.net/~stf/ OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062 === signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Web of Trust (a revolution)
Stanisław T. Findeisen wrote: > Friends, > > Inspired by the recent problems with checksums for various installation > files of Fedora 10, may I be allowed to say, that I think that broader > adoption of OpenPGP standard (gpg) among Fedora (and Free Software) > developers and users could be a desirable and advertising-worth goal. > It could be a Strategy. > Let me see - The Gnupg package is included with Fedora. RPMs are signed with a GPG key - each version has its own key. The extra repositories have their own keys. When their was a possibility that the keys had been compromised, new keys were issued. It is not like Fedora isn't already using gpg... About the only change I can see would be signing the files needed to do a network install... Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
