on 04:56 Wed 16 Mar, Todd A. Jacobs (codegnome.consulting+debian@gmail.com) wrote:
> I've recently downloaded the net installation image for Squeeze, but
> am really uncomfortable with the fact that I can't establish a firm
> trust path to the CD signing key. Is there a canonical place to get
> the fingerprint of this key, so that at least one can have some
> confidence that the key one is validating with is at least the
> widely-known (and generally accepted) one?
>
> As a hack, I've done this on an Ubuntu 10.10 system:
>
> gpg --recv-keys 6294BE9B
> gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
>
> While this shows that this particular key has been signed by some
> Debian developers, it doesn't actually validate that the key is the
> official key for verifying the ISOs.
>
> Can anyone point me to ANY debian.org page that defines the official
> key for CD images? Major bonus for any official links to fingerprints
> for the CD signing key.
You don't trust a key by where you got it.
You trust a key by who's signed it.
http://www.rubin.ch/pgp/weboftrust.en.html
http://www.pgpi.org/doc/pgpintro/
Otherwise: you're saying you trust DNS more than PKI?
It would be a Good Thing for the Debian CD signing key to be more widely
signed (assuming that 6294BE9B is in fact the signing key).
My signing this email simply says that a person who has access to the
associated GPG private key wrote it, and (assuming the signature
validates), content hasn't been altered.
Without known trusted signatures on my key, I could be anybody.
--
Dr. Ed Morbius, Chief Scientist / |
Robot Wrangler / Staff Psychologist | When you seek unlimited power
Krell Power Systems Unlimited | Go to Krell!
Attachment:
signature.asc
Description: Digital signature