on Thu, Jan 18, 2001 at 10:53:16PM +0100, Goswin Brederlow (goswin.brederlow@student.uni-tuebingen.de) wrote: > >>>>> " " == Klaus Reimer <kay@debian.org> writes: > By the way, how do you know that the debian keyring is what it claims > to be? You know some maintainers and signed their keys, so they should > be fine. What about all the other keys in the keyring? Are all keys in > the keyring connected by signatures or are there groups of keys that > don't have any signatures across the groups? If there are groups, > maybe a man in the middle created such a false group. How would you > know. Maybe you could write some code to check the connectivity of the > keyring. :) IIRC, this exists, for values of existence. There's a bit of software which generates a trust graph of a given keyring/signature web, indicating connectedness and trust within the ring. The hooks for this, again, IIRC, are in the existing Debian project keyring infrastructure, though it's not fully implemented (what, incomplete functionality in Debian?! <ducks>). I remember seeing a published set of graphics for a LUG (east coast US, Pennsylvania?) who'd run the graph on their own keys. Ironically, the keyring trust graphing package itself isn't free. I believe this may be in part the reason that this isn't yet fully part of Debian. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
Attachment:
pgppLGmsTMdLd.pgp
Description: PGP signature