Re: [GNU-linux-libre] Help users to verify their downloads

[Patrick McDermott]

On 2018-06-25 at 11:33, Jean Louis wrote:
> If I receive PGP key from the same server, and PGP
> signature, and package from same server, then
> verification means just nothing.

OpenPGP public keys are normally pushed to a pool of key servers.  So
you can get the key from a different server.

> PGP security works only if the key have been
> verified with the trusted party who issued it.
> 
> So in order to verify the key, I would need to
> call developer, or SMS him, or otherwise use
> communication channel that is trusted (even this
> is not absolute), and then by exchanging
> fingerprints, I would know I have his true PGP
> key.
> 
> Only thereafter I can use his public PGP key to
> verify that package have been signed by his public
> PGP key.

This is not very practical, or even sufficient.  It can verify a key,
but it doesn't authenticate the key's owner.  How secure is the method
by which you found the phone number?  How do you know that the voice on
the other end is that of the maintainer?  You can't very easily verify
someone's identity by phone, especially in a publicly reproducible way
(ask a question with a secret answer, and the answer is no longer
secret, because an impersonator could get and repeat the same answer).

OpenPGP has a more effective and distributed solution to this: the web
of trust.  Maintainers meet people who verify their identities in person
and sign their keys (ideally either shared in full or identified by a
full fingerprint or a sufficiently large ID).  The people who meet the
maintainers meet other people to have their identities verified and keys
signed, and so on.  If a user has met some people and verified and
signed some keys, then there is likely to be at least one trust path
somewhere, through N degrees of separation, that leads to the maintainer
of the downloaded software they want to verify.  GnuPG looks for such
trust paths when using a key to verify a signature.

In practice, this doesn't always work out, because not all users go
around to key-signing parties to connect themselves into the web of
trust.  Such people could instead look up a maintainer on their favorite
key server and look for a key that has numerous signatures from keys
that in turn have numerous signatures.  It's far from ideal but better
than nothing.

> So when requesting any security feature for
> packages to be placed for downloading, let us not
> dwell in some illusions of security.
> 
> If users don't know how to verify PGP fingerprints
> with the issues of the PGP key, and it is anyway
> unlikely that any serious percentage would be
> doing so, then we are wasting time by creating
> apparent security.

The perfect is the enemy of the good.  Sure, perfect security is
impossible, but that doesn't mean we should give up on having any
security at all.  Security is not a binary thing; it's a matter of best
efforts, defense in depth, and deterring an attacker at least long
enough that they give up.

As long as the threat model and weaknesses are considered (i.e. not
having a false sense of perfect security), any level of security is
better than none.

-- 
Patrick McDermott, CEO
Libiquity
Putting customers in control of high-quality technologies
http://www.libiquity.com/