User: Password:
|
|
Subscribe / Log in / New account

On keys, trust, and webs

On keys, trust, and webs

Posted Oct 7, 2011 6:16 UTC (Fri) by ringerc (subscriber, #3071)
Parent article: On keys, trust, and webs

I've been a stickler for proper identity verification and secure repository access since I spent several years managing the Scribus CVS (later svn) repository.

Unfortunately, then and now most people view my insistence on using crypto and on proper key management as kind of weird, paranoid, and an unnecessary hassle. That's despite REPEATED high-profile breaches over the years, and plenty of evidence that smaller operators are hardly safe either.

I'll be pleased if the kernel.org folks can overcome this sort of attitude, but I don't rate their chances. People will be creating infinite-expiry GnuPG keys without revocation certs then failing to back them up. Others will forget to push updated keys at expiry time. Most people won't bother signing mail and won't bother to deal with signed mail they receive once they break their key - which they'll do sooner rather than later. One or more people will have to spend a LOT of time hand-holding with basic GnuPG key management, etc. Yes, even with kernel developers; if running a repo taught me one thing it was that programming skills do NOT necessarily translate to even basic abilities/interest when it comes to mail client config, crypto setup, backups, etc.

Too many people see all this stuff as annoying bureaucratic crap they want to go away so they can get back to coding. With that attitude, security will always be sloppy and a hassle.


(Log in to post comments)

Best-practice GUI

Posted Oct 7, 2011 7:01 UTC (Fri) by Cato (subscriber, #7643) [Link]

Maybe someone could write a simple GUI that encodes best practices for key management with a number of wizards - the idea being that even expert developers are lacking in time and could do with some automated step by step help to do things properly. It could be as simple as a Python application using the Wx framework, wrapped around GPG, and would work on various platforms quite easily.

On keys, trust, and webs

Posted Oct 7, 2011 11:52 UTC (Fri) by fuhchee (guest, #40059) [Link]

"That's despite REPEATED high-profile breaches over the years,"

Can you explain the beneficial linkage between having properly signed pgp keys, and the vulnerabilities resulting from someone rooting a developer/admin's laptop?


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds