[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Fwd: question regarding verification of a debian installation iso

On Seg, 03 Jan 2011, Eduardo M KALINOWSKI wrote:
2. Some linux distro's I see now do have certified https, like fedora which
puts gpg fingerprints (SHA1) of their public keys on their certified
3. Other distros have md5 hashes over certified https, like ubuntu.
(virtually a shared fourth place with debian)

Do you trust Verisign or the issuer of the http certificate?

And also: if you trust them, are you sure the certificate you have in your machine for verification is the actual certificate?

You could go to the issuer's site and look for the fingerprint for verification. But how can you be sure that the fingerprint is legitimate? SSL can't help you here because of the chicken and egg problem.

All rights reserved.


Reply to: