Mark H. Wood via Gnupg-users wrote: > On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users wrote: > > Juergen BRUCKNER wrote: > > > > > Hi Stefan > > > > > > Thats not the approach PGP pursues. > > > PGP was, is and should continue to be decentralized in the future. It > > > was never really intended to validate identities in a wide circle, but > > > to secure communication, and - im parts - to ensure the integrity of > > > software. > > > > Well, the integrity of software can also be shown with a simple hash > > value posted, because I can not verify if the sig belongs to person > > xyz, even when he / she has a lot of fan sigs from people unknown to > > me. > > Yes, if you trust that the page with the hash on it has not been > compromised. Once the bad guy is inside the site, changing the hash > is just as easy as replacing the software. Signatures depend on > material that is *not* in the same place with the signed object (if > we're doing it right) and thus can be verified from independent > sources. > > Simple hashes can only detect simple failures. They have no value > against a careful adversary.
The software author(s) can simply provide a, via blockchain, timestamped record[1] of the original hash value. Additionally, from time to time, a timestamped warrant canary would be welcome addition too. P.S. I have read recently that one can only trust software he / she has written themselves ... ;-D [1] https://opentimestamps.org/ Regards Stefan -- box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56 certified OpenPGP key blocks available on keybase.io/stefan_claas _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
