Re: Where is the trust?

To: debian-user@lists.debian.org
Subject: Re: Where is the trust?
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Wed, 23 Feb 2011 19:57:01 -0300
Message-id: <[🔎] 20110223225701.GA29206@khazad-dum.debian.net>
In-reply-to: <[🔎] AANLkTi=GA+Dmx7iL-8V7Es=bQ22XUzoE+eb1mtdpez9B@mail.gmail.com>
References: <[🔎] AANLkTi=GA+Dmx7iL-8V7Es=bQ22XUzoE+eb1mtdpez9B@mail.gmail.com>

On Wed, 23 Feb 2011, The Suspect wrote:
> From where comes the trust for your archive?

In the end, it all amounts to thin, dirty air.

That said, the archive keys are signed by several DDs, whose keys are part
of the strong set of the gpg public web-of-trust.

So, if you're troubled by the trust on the release signing keys, find
yourself a trust path to the strong set, or enough weak paths that you're
willing to convince yourself that the keys are indeed valid.

> So, I am basically stuck blindly trusting that your keyring file has not
> been compromised and that your website is not an evil mirror.

Maybe.  See above.

> You might at least put up a secure SSL connection so that someone might have

You are, of course, aware that unless you anchor the CA you are going to
trust *and* that CA has not been subverted in the first place, any https
session can be trivially intercepted through a man-in-the-middle attack,
using valid certificates signed by any of the hundreds of CAs your browser
trusts?

So, why should we bother with something as useless as https, again?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- Where is the trust?
  - From: The Suspect <policeoppression@gmail.com>

Prev by Date: Re: restarting sound
Next by Date: Re: upgrading squeeze/sid to stable
Previous by thread: Re: Where is the trust?
Next by thread: Re: Where is the trust?
Index(es):
- Date
- Thread