Re: ISO md5sum signing paranoia
On Friday 30 September 2005 10:08, vitko wrote:
> > The idea is that either YOU meet these people, or that somebody you trust
> > did it for you, or that somebody you trust knows somebody he trusts who
> > knows this trusty gal, who had a relation with a bloke, who met the guy
> > at this congress wich he now trusts.
>
> Yes, that is the idea of signing the keys by CA. It seems gpg supports
> this:
>
> <quote>
> gpg: WARNING: This key is not certified with a trusted signature!
> </quote>
>
> Does it mean that the key is certified, but I miss key of certificator;
> then I'd like to know where to get this certificate authority key; OR does
> it mean this key is not certified at all?
no and no.
The key might be certified (trusted) by somebody, however the warning above
indicates gpg cannot find a web of trust in _your_ key ring leading to
anything that leads to any key that _you_ declared to trust.
There is no CA for this.
Beside how come you trust any of these supposed CA ?
Do you know them ?
are they indeed trustworthy ?
(sorry I'm a bit paranoid there, but you asked for it ;o)
gpg 's web of trust doesn't work with the self appointed Certificate
"Authorities" (yes, these literally appeared out of the blue!). gpg expects
you to meet people and build a web of trust with them.
Of course that is the theory. What I did (and this is the part I'm not
supposed to tell you) is over the years declare a few keys marginaly trusted
after having seen them coming again and again with emails and packages. After
a relatively short time the system started to trust some other keys from new
emails and new packages.
Cheers,
Ernest ter Kuile.
>
> Vit
Reply to: