-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What is your point exactly? How secure are Verisign, Thawte or anyone elses servers outside of them just stating "We take X Precautions". Look at just about all of the top companies, Microsoft, Sun, Yahoo, Citibank. They've all been hit at some point because "X" wasn't secure. Right now I could register at Comodogroup.com for a free signing cert for email. It means nothing. Servers storing keys mean little since there is no authority body to verify the validity of a security claim. So your point is moot. http://www.schneier.com/paper-pki-ft.txt On Tue, 14 Mar 2006 12:50:54 -0500 "Forrest J. Cavalier III" <mibsoft@xxxxxxxxxxxxxxx> wrote: >"A chain is only as strong as its weakest link." > >When I get the GnuPG distribution from the non-secure >http://gnupg.org (or a >https://gnupg.org with a CAcert.org certificate) I get a >distribution signed by >Werner Koch's key issued one day after the previous signing key >expired >2006-01-01. > >The previous expired GnuPG signing key has 160 signatures on the >MIT keyserver. > >The new key is signed by Werner Koch's own certification key, and >that's it. > >How secure is that certification key? When I finger >wk@xxxxxxxxxxx (another >insecure protocol) I get a keyblock. Above the keyblock is some >text which >includes this sentence: > > "The primary key is stored at a more or less secure place and >only used on a > spare laptop which is not connected to any network." > >Can anyone estimate the incredible value of the communications and >storage >relying on software signed by that one guy with a "spare laptop in >a more or >less secure place"? > >One human being, vulnerable, fallible. Can he be bought, >blackmailed, coerced? >Hit by a bus? > >Can this situation be improved? I say yes. > >Maybe your company has never funded volunteer developers. Maybe >you asked, and >found you don't do "donations." Maybe you are just a single- >person consulting >business. > >Before last year, I had never paid anyone for all this great free >beer. > >But last year I landed a contract that included the need to do >secure code >distribution automatically. I could never have done it without >calling OpenSSL >libraries. So, I used paypal to pay one of the lead developers of >OpenSSL to do >a code review. We easily settled on a contract amount that gave >me a great code >review. It was well worth it. Fully tax deductible for me as a >business expense. > >But the community got something too. > >As mutually agreed ahead of time, the developer got paid more than >his straight >regular consulting rate. Now he could have kept that as a fat >contract, and >moved on. But from his perspective, he covered his costs, and >then looked at >the "extra" as compensation for general OpenSSL improvements to >benefit the >whole community. > >This may be a way you can convince your company to fund volunteer >developers >too. If a couple of users a week did that, wouldn't Werner Koch >and colleagues >put some effort towards making stronger weakest links? Wouldn't >all of us benefit? > >Now back to this weakest link. Does Werner Koch and colleagues >have a Paypal >account or other verified way of receiving electronic payments >easily? -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkQYgEkACgkQo8cxM8/cskpuoQCfeOoTBVkLLypT/cy+Pp34Zv/pTzQA oISNgTkqxWmIonkVfjIrkvkHI7An =j6Gj -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485
