Re: Debian Archive Automatic Signing Key (4.0/etch)?
Am Mittwoch 22 November 2006 11:05 schrieb Hamish Moffatt:
> On Wed, Nov 22, 2006 at 09:48:46AM +0100, Hendrik Sattler wrote:
> > Or even better:
> > # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs
> > A70DAF536070D3A1
> >
> > I just assume that receiving the keys via the debian-keyring package ist
> > more trustworthy than via a random public server. In the default
> > configuration, it
>
> But you need to be able to validate that package in some fashion too.
To run in circles, here, any proposals for a trust anchor for random users
Alice and Bob?
Assuming, I use the keyring-debian package from an older installation CD. If
the keys to validate did not change, I kind of trust it because if attacks
are not found in such a time, the whole thing is lost, anyway ;)
The GPG signing does not make authentication a always-trust-it thing. It just
makes it a bit harder for an attacker (creating a fake keyring and uploading
it to a random keyserver is possible, I assume).
Noone answered, yet, why this key is not in debian-archive-keyring package.
I thought that the whole idea was to make it available before it gets used.
That would be the easiest (install it at installation time) and
"apt-key update" could be used.
HS
Reply to: