[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About GPG-signing the public RSA keys of Debian machines

On Mon, Oct 09, 2006 at 08:19:33PM +0200, Florent Rougon wrote:
>   2. I have to trust the integrity of db.debian.org.
> I think it would be much better if someone from debian-admin would be so
> kind to GPG-sign the public RSA keys of Debian hosts. This way, I'd only
> have to trust that James Troup and Martin Schulze[1] take good care of
> their GPG keys.

Which has the key in it, and is signed by James Troup.

Most Debian hosts should have an /etc/ssh/ssh_known_hosts with all host
keys in.  I suggest you read:

Anyway, if you don't trust db.debian.org, how did you log in the
first time to any Debian machine?

I assume you've used https and that you verified the certificate?
And saw that it was issued by SPI?  And then you looked up SPI's
certificate?  And you found that there is a text file with the SHA1 and
MD5 sum signed by Wichert Akkerman?

For those that don't know those files:


Attachment: signature.asc
Description: Digital signature

Reply to: