[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fingerprint of the archive signing key

On Tue, Jun 29, 2004 at 06:28:49PM +0100, Andrew Suffield wrote:
> On Tue, Jun 29, 2004 at 02:56:39PM +0200, Frank K?ster wrote:
> > What's the difference between Martin trusting the certificates of that
> > company and your trusting any DD's gpg signature? It seems the
> > difference is that Martin knows people from the company personally,
> > while you don't know most DDs.
> No, the difference is that you only have to trust one DD,

Actually, you have to trust all of them, because they all have effective
root access to your system (unless you audit every upload, which is
about as plausible as people checking every SSL certificate).

> while you have to trust the janitors from the company, who are
> probably immigrants working for a pittance.

Only if the company is foolish enough to allow anyone who wanders in the
door to make a signature from their CA.

Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: