Re: ISO md5sum signing paranoia

[Ernest ter Kuile <ernest@terkuile.ch>]

On Friday 30 September 2005 10:08, vitko wrote:
> > The idea is that either YOU meet these people, or that somebody you trust
> > did it for you, or that somebody you trust knows somebody he trusts who
> > knows this trusty gal, who had a relation with a bloke, who met the guy
> > at this congress wich he now trusts.
>
> Yes, that is the idea of signing the keys by CA. It seems gpg supports
> this:
>
> <quote>
> gpg: WARNING: This key is not certified with a trusted signature!
> </quote>
>
> Does it mean that the key is certified, but I miss key of certificator;
> then I'd like to know where to get this certificate authority key; OR does
> it mean this key is not certified at all?

no and no.

The key might be certified (trusted) by somebody, however the warning above 
indicates gpg cannot find a web of trust in _your_ key ring leading to 
anything that leads to any key that _you_ declared to trust.

There is no CA for this.

Beside how come you trust any of these supposed CA ? 
Do you know them ? 
are they indeed trustworthy ?

(sorry I'm a bit paranoid there, but you asked for it ;o)

gpg 's web of trust doesn't work with the self appointed Certificate 
"Authorities" (yes, these literally appeared out of the blue!). gpg expects 
you to meet people and build a web of trust with them.

Of course that is the theory. What I did (and this is the part I'm not 
supposed to tell you) is over the years declare a few keys marginaly trusted 
after having seen them coming again and again with emails and packages. After 
a relatively short time the system started to trust some other keys from new 
emails and new packages.

Cheers,

Ernest ter Kuile.

>
> Vit