Re: plaintext non-ssl distribution - who things this is a good idea?

[Werner Koch]

On Fri, 11 Sep 2015 00:05, r...@sixdemonbag.org said:

> (Getting an Authenticode certificate, for instance.)

FWIW, the Gpg4win installer is code signed.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: plaintext non-ssl distribution - who things this is a good idea?

[Werner Koch]

Hi,

The OP is continuing to "spam" the bug tracker
.  For the record:


OP:
  [Claims of linking FTP mirrors which are not secure and to the known
   problem of the non-https gpg4win site.]

me:
  This has nothing to do with gnupg.org.  And if you have followed the
  discussions you will have noticed that I requested to add TLS support
  for gpg4win.  Please keep this bug closed and TAKE THIS TO A MAILING
  LIST - if you want audience for this problem address it in the public
  and not on this bug tracker!  I can't do anything for you here.

OP:
  Stop closing this bug.
  I did take this to the list.
  You or whoever runs/moderates it is blocking my post.
  
  DO NOT CLOSE THIS until such time as windows users are prevented from 
  getting your security solution over totally insecure channels.
  
  This is not a game you know - it's an almost absolute certainty that your 
  careless security attitude will GET PEOPLE KILLED.
  
  Let the person who fixes the insecure distribution problem be the one who 
  closes this bug.  It is not appropriate that your ego needs to win some 
  puerile argument at the expense of other peoples safety and lives.

me:
  Nope, I have see your post.

  I asked you several times to not continue here.
  Again: PLEASE STOP THAT NOW and keep this bug closed.  



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: plaintext non-ssl distribution - who things this is a good idea?

[Bernhard Reiter]

Hi all,

On Friday 11 September 2015 at 00:15:51, Daniel Kahn Gillmor wrote:
> On Thu 2015-09-10 18:05:35 -0400, Robert J. Hansen wrote:
> >> Who else thinks someone should spring for the $10 it would take to
> >> buy and install an SSL certificate for the principal distribution
> >> point of gpg and it's signatures on the worlds most popular
> >> platform?
> >
> > There are many better ways for Werner to spend his time and money.
> >
> > (Getting an Authenticode certificate, for instance.)

like Daniel wrote: It takes more than 10€ to do this.

Gpg4win already signs the installer with an authenticode certificate
(which costs a few hundered €s). 

For services like wald or wiki.gnupg.de, experts have a trustpath
via ca.intevation.de. 

However we believe it is useful to secure some services with TLS.

> But this is a "trusted introducer" problem, and
> the cartel is the only set of trusted introducers available to people
> who don't already have GnuPG.
>
> There is already discussion about getting HTTPS set up for gpg4win.org.
> Bernhard Reiter (cc'ed here) knows about it, and other offers of help
> have already been made over on gpg4win-users...@wald.intevation.org,
> which is a better place to discuss gpg4win-specific issues.
>
> It's more an issue of getting an admin to spend a couple hours coaxing
> the website into compliance and dealing with the fallout from the SNI
> issues.

Yes. 
Background is that Gpg4win traditionally shares some services with some other 
Free Software initatives, so in comparision to a fresh setup we need to 
detangle and migrate some services. This needs some time and planning from
those that run the services. (And for some years now Gpg4win does not have
the same level of funding that GnuPG has recently aquired. So there are some
old structure to modernise.)

> Bernhard, is there anything else the rest of us can do to get this ball
> rolling?

Thomas (in cc) is one of our system administrators, he will steer the process
from our side and respond to your question (on 
gpg4win-users...@wald.intevation.org I guess, but this is up to him. :) ).

Best,
Bernhard

-- 
www.intevation.de/~bernhard (CEO)www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: plaintext non-ssl distribution - who things this is a good idea?

[Werner Koch]

On Fri, 11 Sep 2015 00:05, r...@sixdemonbag.org said:

> (Getting an Authenticode certificate, for instance.)

Yeah, when testing the installer I always see that annoying "unknown
issuer" warning.  Thus it is probably a good idea to silence this
warning by signing the installer.  I need to see how to integrate this
into my workflow.

I also need to decide whether to use my smartcard based release signing
key but that unfortunately means that a broken smartcard will be quite
expense.  Given that it is cheap to get a faked code signing key, it
might be okay to use a standard on disk key.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: plaintext non-ssl distribution - who things this is a good idea?

[Scott Lambdin]

und bier

On Thu, Sep 10, 2015 at 6:05 PM, Robert J. Hansen 
wrote:

> > Who else thinks someone should spring for the $10 it would take to
> > buy and install an SSL certificate for the principal distribution
> > point of gpg and it's signatures on the worlds most popular
> > platform?
>
> There are many better ways for Werner to spend his time and money.
>
> (Getting an Authenticode certificate, for instance.)
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 

Eat like you give a damn.  Go vegan.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: plaintext non-ssl distribution - who things this is a good idea?

[Daniel Kahn Gillmor]

On Thu 2015-09-10 18:05:35 -0400, Robert J. Hansen wrote:
>> Who else thinks someone should spring for the $10 it would take to
>> buy and install an SSL certificate for the principal distribution
>> point of gpg and it's signatures on the worlds most popular
>> platform?
>
> There are many better ways for Werner to spend his time and money.
>
> (Getting an Authenticode certificate, for instance.)

This is not an either/or scenario, please don't pit the one project
against another.

Both can be addressed by dealing with the CA cartel.  It's frustrating
to do this, because we all know that the CA cartel is not particularly
trustworthy as a whole.  But this is a "trusted introducer" problem, and
the cartel is the only set of trusted introducers available to people
who don't already have GnuPG.

There is already discussion about getting HTTPS set up for gpg4win.org.
Bernhard Reiter (cc'ed here) knows about it, and other offers of help
have already been made over on gpg4win-users...@wald.intevation.org,
which is a better place to discuss gpg4win-specific issues.

It's more an issue of getting an admin to spend a couple hours coaxing
the website into compliance and dealing with the fallout from the SNI
issues.

Bernhard, is there anything else the rest of us can do to get this ball
rolling?

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: plaintext non-ssl distribution - who things this is a good idea?

[Robert J. Hansen]

> Who else thinks someone should spring for the $10 it would take to
> buy and install an SSL certificate for the principal distribution
> point of gpg and it's signatures on the worlds most popular
> platform?

There are many better ways for Werner to spend his time and money.

(Getting an Authenticode certificate, for instance.)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: plaintext non-ssl distribution - who things this is a good idea?

[Jerry]

On Fri, 11 Sep 2015 01:07:52 +1000, cow...@anon.im stated:

> Who else thinks someone should spring for the $10 it would take to buy and
> install an SSL certificate for the principal distribution point of gpg and
> it's signatures on the worlds most popular platform?
> 
> http://gpg4win.org/download.html
> http://files.gpg4win.org/gpg4win-2.2.6.exe
> http://files.gpg4win.org/gpg4win-2.2.6.exe.sig

I'll chip in.

-- 
Jerry

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users