Re: Debian Archive Automatic Signing Key (4.0/etch)?

[Hendrik Sattler <debian@hendrik-sattler.de>]

Am Mittwoch 22 November 2006 11:05 schrieb Hamish Moffatt:
> On Wed, Nov 22, 2006 at 09:48:46AM +0100, Hendrik Sattler wrote:
> > Or even better:
> > # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs
> > A70DAF536070D3A1
> >
> > I just assume that receiving the keys via the debian-keyring package ist
> > more trustworthy than via a random public server. In the default
> > configuration, it
>
> But you need to be able to validate that package in some fashion too.

To run in circles, here, any proposals for a trust anchor for random users 
Alice and Bob?
Assuming, I use the keyring-debian package from an older installation CD. If 
the keys to validate did not change, I kind of trust it because if attacks 
are not found in such a time, the whole thing is lost, anyway ;)
The GPG signing does not make authentication a always-trust-it thing. It just 
makes it a bit harder for an attacker (creating a fake keyring and uploading 
it to a random keyserver is possible, I assume).

Noone answered, yet, why this key is not in debian-archive-keyring package.
I thought that the whole idea was to make it available before it gets used. 
That would be the easiest (install it at installation time) and
"apt-key update" could be used.

HS