Re: TLS encrypted source for Debian iso signing keys?
On Mon, Jul 02, 2012 at 11:34:15AM -0700, anotst01@fastmail.fm wrote:
> Is there any TLS encrypted source for downloading the Debian iso signing
> keys?
>
> Of course, from a source verified by a common root certificate. Not from
> the Debian CA, because there is no way to get this one from a trusted
> source either, or is there?
The ISO images, like the rest of the archive, are signed using
OpenPGP (GnuPG) signatures. You can obtain the signing key from
db.debian.org or the public keyservers.
> If the answer is no, which were to correct component to file a bug
> against?
None. The signing is rather more secure than what a TLS connection
would give you. It's signed by a number of Debian developers, and
backed by the entire web of trust (many thousands of signatures).
You don't need to download the signing (public) key securely in
order to validate that you have the correct one--it's not rooted
in a single place.
If you go and meet some developers and sign each other's keys, you
can be a part of this web of trust. i.e. trace the signature all
the way back to *your* key. This is real trust, based upon real
people trusting each other, rather than just having some purchased
certificate--how much trust do you place in one of those?
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800
Reply to: