[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
On Tuesday 05 Aug 2003 11:35 am, Simon Waters wrote: > Neil Williams wrote: > > You might trust Werner, but which Werner? I have had 7-8 keys for > Werner in my > > keyring at one time or another and some have recently expired. > > The one he signs the GNUPG distro with ! All you need is a good signature by the right key, not the right person. If the fingerprint of the key in your keyring matches that on gnupg.org AND you get a good signature when you validate the files, why does it matter if you trust the person as a physical being? You aren't signing his key. If everyone had to verify the physical person Werner Koch, he'd have enough Air Miles to own BA. (not hard at the mo.) :-)) Trusting Werner as a person is about verifying the email address and the physical face with proper ID. This is incredibly unlikely for 99% of all GnuPG users who download the software. > Hmm the issue here is establishing the validity of the software, it > could have been tampered (almost certainly Debian developers "tampered" > to repackage it), so the Debian maintainer must "trust" Werner or how > else did he verify he has the right GNUPG. I've implicitly trusted those > Debian developers (and probably too much else beside). Werner signs lots of Debian rings keys. All you need is to see a valid signature by Werner on the key of the person signing the package. > Of course they might have taken the argument that Werner would have > complained about someone claiming to be him posting to the GNUPG lists > so much overthe years ;-) Sure, it'd be nice to have a strong trust in Werner's key before hand, but isn't that a chicken-and-egg scenario? You can't build a web-of-trust until you've had your key signed. [neil@xxxxx targz]$ gpg --verify cryptplug-0.3.15.tar.gz.sig gpg: Signature made Thu 05 Dec 2002 09:13:11 GMT using DSA key ID 57548DCD gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@xxxxxxx>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD The warning is there to make sure you at least verify the fingerprint via another means. http://www.gnupg.org/(en)/download/integrity_check.html Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. http://www.gnupg.org/(en)/signature_key.html pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) Key fingerprint = 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD In 99% of cases, the fingerprint will have to suffice. Essentially, you are only checking that you've got the right file and using the signature as a better sum check than md5. (Doesn't hurt to check the md5 too, mind.) -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.biglumber.com/x/web?sn=Neil+Williams
Attachment:
pgp00006.pgp
Description: signature