Re: CVE for Kali Linux

[Stephen Kitt <steve () sk2 org>]

On Sun, 22 Mar 2015 14:33:01 -0400, Daniel Micay <danielmicay () gmail com>
wrote:
[...]
> At best, GPG offered *zero value* compared to checking a hash provided
> via HTTPS, grabbing a torrent file via HTTPS or downloading directly via
> HTTPS. However, I think it's pretty clear that few users would have gone
> through with this and all it did was maintain the same security offered
> by the HTTPS PKI.
[...]

I don't have any objection to the rest of your argumentation, which seems
sensible to me; at the very least it's clear that all this needs to be made
much easier, and (proper) HTTPS use should be encouraged.

But I do believe that *at best*, GPG offers something that HTTPS doesn't:
signature validation with peer-to-peer trust via the web of trust. This is
"at best" because most users don't have a key in the strong set; but at least
for Debian, the archive keys are in the strong set, so any one else with a
key in the strong set has at least one trust path to the archive key.

Of course that doesn't really help with the MITM scenario, since end users
would need to know that the archive key is supposed to be signed, and by
whom...

Regards,

Stephen

Attachment: _bin
Description: OpenPGP digital signature