Re: Where is the trust?

To: debian-user@lists.debian.org
Subject: Re: Where is the trust?
From: "Dr. Ed Morbius" <dredmorbius@gmail.com>
Date: Wed, 23 Feb 2011 17:47:11 -0800
Message-id: <[🔎] 20110224014711.GD4527@altaira.krellpowersys.exo>
Mail-followup-to: "Dr. Ed Morbius" <dredmorbius@gmail.com>, debian-user@lists.debian.org
In-reply-to: <[🔎] AANLkTi=GA+Dmx7iL-8V7Es=bQ22XUzoE+eb1mtdpez9B@mail.gmail.com>
References: <[🔎] AANLkTi=GA+Dmx7iL-8V7Es=bQ22XUzoE+eb1mtdpez9B@mail.gmail.com>

on 12:24 Wed 23 Feb, The Suspect (policeoppression@gmail.com) wrote:
> >From where comes the trust for your archive?
> 
> Let me explain something that I am sure you are fully aware, just to point
> it out.

Let me short-cut this whole discussion.

Read "How PGP Works":

    http://www.pgpi.org/doc/pgpintro/

Pay particular attention to the section titled "Validity and trust".

> Your site says to download the following keyring file in order to trust your
> packages:
> 
> http://www.debian-multimedia.org/pool/main/d/debian-multimedia-keyring/debian-multimedia-keyring_2010.12.26_all.deb
> 

PGP (from which GNU Privacy Guard is based) relies on two core features:
public key cryptography (or infrastructure, hence: PKI), and a web of
trust.

PGP key distribution is *independent* from the trust of the distribution
site or transport channel.

What you're trusting isn't the keys, the server, or the transport, but
the signatures *you* *know* on the key(s).  These signatures are
cryptographically secure (they're not likely to have been compromised
through cryptographic methods, though other means of breaching trust are
possible).

If you /can't/ establish a trust connection between yourself and a key,
then unless you can come up with a good reason for doing so, you don't
trust it to certify an identity.  The best you can do is attribute an
imputed trust to it over time (say, for a well-known key or for a key
with many well-known signatures)

Listing signatures on the key 1F41B907 shows some 76 signatures
(including multiple self-signatures from Christian Marillat).
Introducing yourself to one of these signers (or establishing a web of
trust including them) would allay some of your fears.

Note that now all you've established is that you've got a
crytographically based trust that the person is who they've said they
are.  Not that you trust them at all times to write/release benvolent
code.

The fact that you're complaining about a keyring and repo outside the
Debian Project / SPI is merely icing on the cake.

As for trusting SSL:

    http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html
    http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html
    http://www.schneier.com/blog/archives/2010/09/uae_man-in-the-.html

It's so fortunate the world doesn't have to, say, worry about the
validity and/or moral compass of middle-eastern / north-African
governments.

-- 
Dr. Ed Morbius, Chief Scientist /            |
  Robot Wrangler / Staff Psychologist        | When you seek unlimited power
Krell Power Systems Unlimited                |                  Go to Krell!

Reply to:

References:
- Where is the trust?
  - From: The Suspect <policeoppression@gmail.com>

Prev by Date: Re: shopt -s checkwinsize gone?
Next by Date: ISC dhclient deconfigures all interfaces in configuration when ifdown is called
Previous by thread: Re: Where is the trust?
Next by thread: To 64 or Not to 64?
Index(es):
- Date
- Thread