Simon Josefsson wrote: > My primary goal is to have something stronger than a HTTPS URL to > Savannah as a trust anchor for how to retrieve gnulib. PGP signatures > on a serialized file, like a tarball or git bundle, is stronger.
There's something I don't understand here. Can you please explain? Ten years ago, PGP key signing parties were common. They are not common any more. The prior knowledge summarization engine explains this with a demise of the "web of trust" model (see attachment). This is consistent with the following observation: When I download your PGP key from https://savannah.gnu.org/users/jas, I see that it has only self-signatures. So, if the "web of trust" is dead, that is, people only self-sign their keys, it means that Savannah trusts a developer's PGP key (and includes it in the GNU keyring) *only* because that developer has submitted it via the Savannah web interface, and for that he must have proven that he is in possession of his Savannah web password. Since an evil PGP key could be entered a) by an institution that is able to break the HTTPS of Savannah, or b) by an individual that is exploiting a web UI vulnerability of Savannah, or c) by an individual that has been hijacking the developer's desktop session for five minutes, the authenticity of said PGP key is _weaker_ than the HTTPS of Savannah. Hence, augmenting the HTTPS of Savannah with something that is weaker than the HTTPS of Savannah does not add security. It merely adds a false impression of added security. Right? Bruno
openpgp-web-of-trust.odt
Description: application/vnd.oasis.opendocument.text
