[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About GPG-signing the public RSA keys of Debian machines

Hi,

David Clymer <david@hrcsb.org> wrote:

> With a signature, he just has to trust that signer f00's key has not
> been compromised, thus the published host key info is trustworthy and a
> MITM is not happening.

To be honest, I believe the MITM attack problem could be mitigated by
the certificate when accessing db.debian.org via HTTPS instead of HTTP.

But trusting the certificate is still a problem for me. Even with
ca-certificates installed, galeon says the certificate cannot be
trusted; I subsequently imported the certs from /etc/ssl/certs into
galeon, which brought the question of whether I trusted that this came
from "Autoridade Certificadora Raiz Brasileira", at which point I
answered no.

In contrast to this, the principle of the GPG web of trust is crystal
clear.

-- 
Florent
Reply to: