Re: Where is the trust?
on 12:24 Wed 23 Feb, The Suspect (policeoppression@gmail.com) wrote:
> >From where comes the trust for your archive?
>
> Let me explain something that I am sure you are fully aware, just to point
> it out.
Let me short-cut this whole discussion.
Read "How PGP Works":
http://www.pgpi.org/doc/pgpintro/
Pay particular attention to the section titled "Validity and trust".
> Your site says to download the following keyring file in order to trust your
> packages:
>
> http://www.debian-multimedia.org/pool/main/d/debian-multimedia-keyring/debian-multimedia-keyring_2010.12.26_all.deb
>
PGP (from which GNU Privacy Guard is based) relies on two core features:
public key cryptography (or infrastructure, hence: PKI), and a web of
trust.
PGP key distribution is *independent* from the trust of the distribution
site or transport channel.
What you're trusting isn't the keys, the server, or the transport, but
the signatures *you* *know* on the key(s). These signatures are
cryptographically secure (they're not likely to have been compromised
through cryptographic methods, though other means of breaching trust are
possible).
If you /can't/ establish a trust connection between yourself and a key,
then unless you can come up with a good reason for doing so, you don't
trust it to certify an identity. The best you can do is attribute an
imputed trust to it over time (say, for a well-known key or for a key
with many well-known signatures)
Listing signatures on the key 1F41B907 shows some 76 signatures
(including multiple self-signatures from Christian Marillat).
Introducing yourself to one of these signers (or establishing a web of
trust including them) would allay some of your fears.
Note that now all you've established is that you've got a
crytographically based trust that the person is who they've said they
are. Not that you trust them at all times to write/release benvolent
code.
The fact that you're complaining about a keyring and repo outside the
Debian Project / SPI is merely icing on the cake.
As for trusting SSL:
http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html
http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html
http://www.schneier.com/blog/archives/2010/09/uae_man-in-the-.html
It's so fortunate the world doesn't have to, say, worry about the
validity and/or moral compass of middle-eastern / north-African
governments.
--
Dr. Ed Morbius, Chief Scientist / |
Robot Wrangler / Staff Psychologist | When you seek unlimited power
Krell Power Systems Unlimited | Go to Krell!
Reply to: