Re: About GPG-signing the public RSA keys of Debian machines
Hi,
David Clymer <david@hrcsb.org> wrote:
> With a signature, he just has to trust that signer f00's key has not
> been compromised, thus the published host key info is trustworthy and a
> MITM is not happening.
To be honest, I believe the MITM attack problem could be mitigated by
the certificate when accessing db.debian.org via HTTPS instead of HTTP.
But trusting the certificate is still a problem for me. Even with
ca-certificates installed, galeon says the certificate cannot be
trusted; I subsequently imported the certs from /etc/ssl/certs into
galeon, which brought the question of whether I trusted that this came
from "Autoridade Certificadora Raiz Brasileira", at which point I
answered no.
In contrast to this, the principle of the GPG web of trust is crystal
clear.
--
Florent
Reply to: