On Wednesday 05 January 2011 19:49:36 Fabio Spelta wrote: > > > > Which means that if somebody is attacking you he will substitute both the > > signature file and my key when you download it. So you gain very little, > > unless you have some other trust path. > > > > > Well, they should also hijack the connection with the keyserver site. While > being the man in the middle in a HTTP connection (thus, the one used to > download the freenet binaries) can be easy, hijacking a SSL/TLS protected > one is hard. > Oh, the HKP protocol used to transfer keys is cleartext too, being it over > HTTP. > Well. Please come to my house, show me your documents and the fingerprint of > your public key. > > Please. > > :) > > Oh, and come again after 2015. ;) > > > > Trust is hard. Even if you pay money to "solve" the problem, there are lots > > of cases of problems with paid for certs. > > > > > Yup, some. But you will agree that the problematic scenarios with signed > X509 certs are scarce and almost insignificant if compared to > web-of-trust-based ones. > > By the way, how much would it cost "you" (I mean, to the community) a > certificate that would last, let's say, for three years? Just curious, if > you ever checked.
Actually I think the free/ dirt cheap ssl cert provider we use is accepted for code signing in some cases. It's on the todo list.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe