Good article, thanks for posting! And you're right, https isn't THE thing to trust in.
Mit freundlichen Grüßen / Kind regards Jonathan (Nathan) Hermann IT Specialist HPC and HPSS Global Technology Services ---------------------------------------- IBM Deutschland IBM-Allee 1 71139 Ehningen Phone: +49-160-98976942 E-Mail: [email protected] ---------------------------------------- IBM Deutschland Business & Technology Services GmbH / Geschäftsführung: Frank Hammer, Thorsten Moehring Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 17122 From: Christopher Samuel <[email protected]> To: [email protected] Date: 02.07.2015 02:11 Subject: Re: [xcat-user] how to validate gpg key. On 01/07/15 18:24, Jonathan Hermann wrote: > Just thinking out loud: if Marc-André's purpose is to validate content that > was downloaded via insecure http, then a gpg key downloaded via insecure > http is somewhat pointless. I mean, statistically, chances are a bit better > that only one of both connections gets manipulated (if at all), but still, > the whole process in itself is vulnerable. However, even using https is not necessarily a great thing given the recent history of CA security and the general level of (mis)trust in centralised PKI systems these days. There's a nice LWN article on this issue from earlier this year on the whole issue (focused mainly on distros, but the issues are the same for any open source package): https://lwn.net/Articles/637595/ My feeling is that you have to set and clearly state the level of paranoia/threat that you are willing to try and work to address and try and avoid the temptation to go beyond that level (without updating your statement first). All the best, Chris -- Christopher Samuel Senior Systems Administrator VLSCI - Victorian Life Sciences Computation Initiative Email: [email protected] Phone: +61 (0)3 903 55545 http://www.vlsci.org.au/ http://twitter.com/vlsci ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
