Re: [dev] dl.suckmore.org file integrity dropboxhub project

From: Anselm R Garbe <garbeam_AT_gmail.com>
Date: Sun, 27 Aug 2017 15:26:29 +0200

On 27 August 2017 at 00:19, Mattias Andrée <maandree_AT_kth.se> wrote:
> The user's must be able to find the appropriate keys some way the first
> time, so suckmore must at most have links to them. If suckmore is
> compromised these can be replaced. PGP keys only ensure that future
> keys are not fraudulent as all new key should be signed by the old keys.
> SSL certificates ensures that the PGP keys are not tempered with by
> anyone outside suckmore. Thus, hosting the keys one suckmore.org, when
> it has HTTPS, is less secure that every ones private home pages outside
> suckmore.org that do not have SSL certificates.

Perhaps I'm old-fashioned, but in the older days there used to be the
strategy to display your pgp fingerprint in mail signatures and lot's
of other places, to ensure that during time and a high degree of
footprint throughout the net, it would be a rather easy congnitive
task to base trust on that.

But I didn't notice this approach for a while and did stop it myself
back in 2008 or so...

BR,
Anselm
Received on Sun Aug 27 2017 - 15:26:29 CEST