AOH :: HP Unsorted G :: B06-1034.HTM

Gnupg weak as one guy with a spare laptop.



GnuPG weak as one guy with a spare laptop.
GnuPG weak as one guy with a spare laptop.



"A chain is only as strong as its weakest link."

When I get the GnuPG distribution from the non-secure http://gnupg.org (or a 
https://gnupg.org with a CAcert.org certificate) I get a distribution signed by 
Werner Koch's key issued one day after the previous signing key expired 
2006-01-01.

The previous expired GnuPG signing key has 160 signatures on the MIT keyserver.

The new key is signed by Werner Koch's own certification key, and that's it.

How secure is that certification key? When I finger wk@g10code.com (another 
insecure protocol) I get a keyblock.  Above the keyblock is some text which 
includes this sentence:

    "The primary key is stored at a more or less secure place and only used on a
     spare laptop which is not connected to any network."

Can anyone estimate the incredible value of the communications and storage 
relying on software signed by that one guy with a "spare laptop in a more or 
less secure place"?

One human being, vulnerable, fallible.  Can he be bought, blackmailed, coerced?
Hit by a bus?

Can this situation be improved?  I say yes.

Maybe your company has never funded volunteer developers.  Maybe you asked, and 
found you don't do "donations."  Maybe you are just a single-person consulting 
business.

Before last year, I had never paid anyone for all this great free beer.

But last year I landed a contract that included the need to do secure code 
distribution automatically.  I could never have done it without calling OpenSSL 
libraries.  So, I used paypal to pay one of the lead developers of OpenSSL to do 
a code review.  We easily settled on a contract amount that gave me a great code 
review.  It was well worth it.  Fully tax deductible for me as a business expense.

But the community got something too.

As mutually agreed ahead of time, the developer got paid more than his straight 
regular consulting rate.  Now he could have kept that as a fat contract, and 
moved on.  But from his perspective, he covered his costs, and then looked at 
the "extra" as compensation for general OpenSSL improvements to benefit the 
whole community.

This may be a way you can convince your company to fund volunteer developers 
too.  If a couple of users a week did that, wouldn't Werner Koch and colleagues 
put some effort towards making stronger weakest links?  Wouldn't all of us benefit?

Now back to this weakest link.  Does Werner Koch and colleagues have a Paypal 
account or other verified way of receiving electronic payments easily?


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.