0

I consider WEB of trust as a failed initiative (search for SKS key poisoning mass occurred in 2019).

PGP is used to sign software in source (commits / tags in Git/Mercirual) & binary (compiled artifacts) forms.

Currently when I download software from the Internet I usually rely on PGP keys (Debian / Cygwin / etc package providers). It is the keys I only trust.

Unfortunately getting the keys for the first time is a dangerous process. I visit HTTPS page and have to trust what is written on the HTML page (key fingerprints and links for .asc file downloads).

I wonder why major package providers don't cross sign their PGP keys... For example, I have set of Debian keys that I trust for 15 years: it would be cool if they sign Alpine or RedHot keys! Why don't we have such beneficial cross signing (small WoT for really important keys)?

gavenkoa
  • 113
  • 6
  • 1
    Are the really any standards for openpgp keys, roughly similar to CABForum standards for the public TLS infrastructure? What happens when a key you've cross-signed needs to be revoked? Cross-signing is trivial technically but more complicated when you try to attach some meaning to the signature that makes it valuable. – President James K. Polk Oct 06 '21 at 15:03
  • I want a solution for the problem of trusting *package signing keys*. If I obtained 10 keys from OS / package vendors and they signed 11th key I'll trust that key too. It is my duty to update revocation status of keys and I can update revocation status from any **public place**, unlike pub key, which need to be taken in person or through the web of trust... – gavenkoa Oct 06 '21 at 15:36
  • 1
    This would be better asked at the maintainers of those package providers. But, one reason against long lived cryptographic keys is that the time-frame for exploitation is larger. There's a higher chance that a key is compromised within 15 years than 3-4 and the impact of that can be a lot bigger as a result. – NULLZ Oct 12 '21 at 04:41

0 Answers0