[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Where is the trust?



On Wed, 23 Feb 2011, The Suspect wrote:
> From where comes the trust for your archive?

In the end, it all amounts to thin, dirty air.

That said, the archive keys are signed by several DDs, whose keys are part
of the strong set of the gpg public web-of-trust.

So, if you're troubled by the trust on the release signing keys, find
yourself a trust path to the strong set, or enough weak paths that you're
willing to convince yourself that the keys are indeed valid.

> So, I am basically stuck blindly trusting that your keyring file has not
> been compromised and that your website is not an evil mirror.

Maybe.  See above.

> You might at least put up a secure SSL connection so that someone might have

You are, of course, aware that unless you anchor the CA you are going to
trust *and* that CA has not been subverted in the first place, any https
session can be trivially intercepted through a man-in-the-middle attack,
using valid certificates signed by any of the hundreds of CAs your browser
trusts?

So, why should we bother with something as useless as https, again?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


Reply to: