[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG trusted signatures, dpkg-buildpackage & gpg

On Thu, Sep 16, 1999 at 00:02:10 +0100, Philip Hands wrote:
> Given that this key only seems to have been signed by Ray Dassen and
> itself,

Even with the updates Wichert mentions, the web of trust for Debian GPG keys
is still a lot sparser than the PGP one. I've pointed out one possible
approach to strenghtening it (using RSA keys to sign DH/DSA ones) in
http://www.debian.org/Bugs/db/25/25554.html .

> and you have good reason to believe that the key used to sign this key was
> Ray's,

In this case, you can be reasonably sure: my RSA key is unrevoked and very
widely signed (it made
http://www.cl.cam.ac.uk/Research/Security/Trust-Register/); I used it to
sign my GPG key (which has a number of other signatures on it as well) with
which I signed Wichert's GPG key.

Of course this depends on one's level of paranoia. Using crypto wisely and
effectively is a matter of keeping one's paranoia high, but not reducing it
ad absurdum (how do you know I'm not an alien with space/time travel
technology capable of intercepting your private key and viewing you type
your passphrase?).

PATRIOTISM  A great British writer once said that if he had to choose 
between betraying his country and betraying a friend he hoped he would
have the decency to betray his country.                                      
- The Hipcrime Vocab by Chad C. Mulligan 

Reply to: