[Info-vax] VSI Website Form for Reporting Potential Security Problems

[Craig A. Berry]

On Monday, February 26, 2018 at 3:34:19 PM UTC-6, Simon Clubley wrote:
> On 2018-02-26, Craig A. Berry <craig.a.berry at gmail.com> wrote:
> > On Monday, February 26, 2018 at 12:37:26 PM UTC-6, Simon Clubley wrote:
> >  
> >> There either needs to be a file upload option or a public key that
> >> can be used to send files to VSI encrypted.
> >
> > There is.  You can supply them with a PGP key on that form and then exchange
> > as much secure e-mail with attachments as you want.
> 
> Sorry Craig, but that's nowhere near good enough.
> 
> All that does is to make sure that whoever is on the other end of
> the email address is still talking to the same person who sent them
> the PGP key.
> 
> It does absolutely nothing to make sure that the organisation
> you are talking to really is VSI.
> 
> If you look at every other organisation's security reporting mechanism,
> they all provide their own PGP key. There's a very good reason for that.

Um, *obviously* if you provide a PGP key to them, their first response to you will include their PGP key that you can use, possibly one they've generated specifically for dealing with you, thus enhancing mutual trust.  If someone other than VSI intercepts your https form posting and uses your PGP key to contact you, they would also have the ability to intercept the secure upload you are proposing.  Feel free to drive to Bolton and exchange keys in person; that is genuinely more secure.