On Tue, 12 Jul 2016 02:06:58 +0000 (UTC), <[email protected]> said: > in https://www.debian.org/CD/verify webpage: (1a) please Show+Enable > HKPS based GPG KeyServer, or (1b) Allow Single GPG PUBKEY File > Download (which is including all file-signing pubkeys), Over (HTTPS) > ENCRYPTED CONNECTION.
For what purpose? Deliviring the public key over an encrypted connection doesn't help in ensuring the validity of the key when the fingerprint is already delivered over an HTTPS connection. The only thing that it would help is in hiding what key(s) are being requested. [...] > CD/DVD image ISO file's GPG-SIGNATURE (sig/sign) FILE or SHAnnnSUMS > INTEGRITY FILES (all of these files are very very TINY SIZED FILES > (few KILOBYTES only), compared to the VERY large-sized main file, the > ISO files). So AT-LEAST sig/sign file + Sums/Hash code files, need to > be shared with all users (from "https://cdimage.debian.org"; or > https://www.debian.org/CD/ website) over HTTPS encrypted > connection/transfer. Again, for what purpose? Delivering the signature files over HTTPS doesn't help in ensuring the validity of the file, since it is validated using GnuPG. -- Hubert Chathi <[email protected]> -- Jabber: [email protected] PGP/GnuPG key: 4096R/113A1368 https://www.uhoreg.ca/ Fingerprint: F24C F749 6C73 DDB8 DCB8 72DE B2DE 88D3 113A 1368
