Re: Fwd: Fwd: question regarding verification of a debian installation iso

To: Naja Melan <najamelan@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: Fwd: Fwd: question regarding verification of a debian installation iso
From: Kurt Roeckx <kurt@roeckx.be>
Date: Mon, 3 Jan 2011 02:34:53 +0100
Message-id: <[🔎] 20110103013453.GA21471@roeckx.be>
In-reply-to: <[🔎] AANLkTi=7czvNzF_a8E2ibw=9TXw_O+gj5neFoFkMyGiy@mail.gmail.com>
References: <[🔎] AANLkTinAq9XQe5YGwZYS-_fqKK2+cH0Tg87xkkufFst=@mail.gmail.com> <[🔎] 1294000789.8582.97.camel@sorbet.thuis.net> <AANLkTi=LrcBr3HY+hP07Uke_7crs1G_xJYP20H6afpVQ@mail.gmail.com> <[🔎] AANLkTi=m3f52RLswOOWBgjLQUc7JwDm-aY+ejRk3gBn9@mail.gmail.com> <4D20F8B7.4060909@fastmail.fm> <AANLkTim+5r7ArchTvvNg9jcntwXh=UMTG3F2H7d6nLzr@mail.gmail.com> <[🔎] AANLkTi=7czvNzF_a8E2ibw=9TXw_O+gj5neFoFkMyGiy@mail.gmail.com>

On Mon, Jan 03, 2011 at 12:24:16AM +0100, Naja Melan wrote:
> Arto Artinian <artinian@fastmail.fm> :
> 
> > Hi Naja,
> >
> 
> > I am not sure what your point is here?  You don't trust pgp webs of trust,
> > nor https, nor md5 checksums of debian sources.  I mean, at some point if
> > you want to use software that you didn't exclusively write and/or audit,
> > you're gonna have to implicitly trust someone.  If not, what's the
> > alternative?
> >
> > Pano
> >
> 
> 
> My point is:
> 
> If we want to seriously speak of security, than we might conceive that at an
> operating system level, amongst many other things, the issue of getting it
> from the developer to the user without it being tampered with on the way is
> quite an important point, less we ridicule ourselves. Currently this is how
> far I get on a practical level on this particular link of the security
> chain:
> 
> 1. Probably the safest thing to do is buy a mac or windows cd in the shop,
> although there is (for me) no way of knowing how safe that really is.
> 2. Some linux distro's I see now do have certified https, like fedora which
> puts gpg fingerprints (SHA1) of their public keys on their certified
> website.

We have various https sites which shows you keys.  But you need to
have SPI's certificate in your web browser for that, which you
probably don't have.  You can find information about that at:
http://oldwww.spi-inc.org/secretary/

You can see the keys of all developers on:
https://db.debian.org/

I think you've also been pointed to:
https://ftp-master.debian.org/keys.html

Which contains the archive signing keys, but not the key to sign
the CD releases.  You can use either of the above ways to verify
the content of CD.

So now you're at the point where all your trust starts from SPI's
certificate.  And to import that you end back at a trusting a GPG
signature and need the trust of web to verify that.

Like I said in a previous mail, all your trust start from
somewhere.  You've downloaded a bunch of certificates that
came with your web browser.  Why do you trust them?

Kurt

Reply to:

Follow-Ups:
- Re: Fwd: Fwd: question regarding verification of a debian installation iso
  - From: Naja Melan <najamelan@gmail.com>

References:
- question regarding verification of a debian installation iso
  - From: Naja Melan <najamelan@gmail.com>
- Re: question regarding verification of a debian installation iso
  - From: Arthur de Jong <adejong@debian.org>
- Fwd: question regarding verification of a debian installation iso
  - From: Naja Melan <najamelan@gmail.com>
- Fwd: Fwd: question regarding verification of a debian installation iso
  - From: Naja Melan <najamelan@gmail.com>

Prev by Date: Fwd: Fwd: question regarding verification of a debian installation iso
Next by Date: Re: Fwd: Fwd: question regarding verification of a debian installation iso
Previous by thread: Fwd: Fwd: question regarding verification of a debian installation iso
Next by thread: Re: Fwd: Fwd: question regarding verification of a debian installation iso
Index(es):
- Date
- Thread