[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Canonical source for the new CD signing key's fingerprint?

On 20110316_150153, Boyd Stephen Smith Jr. wrote:
> On 2011-03-16 14:31:14 Dr. Ed Morbius wrote:
> >My signing this email simply says that a person who has access to the
> >associated GPG private key wrote it.
> Actually, it doesn't even guarantee that they *wrote* it.  It guarantees the 
> *read* it and were willing to sign it.

I think Todd has a point. All DDs have signing keys. But not all DDs
have authority to authorize a release of iso images. I suppose there
is some chain of trust from the DD's signing key back to some
ultimately authoritative Debian certificate. Is that so? Could someone
associated with the Evil Empire create a signing key that contains the
name of a well known DD and use it to 'sign' rogue iso images? In
other words, there does not seem to me to be verifiable a chain of
trust here.

I'm sure that whoever it was who actually signed the iso release can
satisfy himself that what is available on any particular repository is
a true copy of what he signed. But who is he? And is what he signed a
true copy of an uncorrupted Debian iso image? And does he actually use
the name that is on the signing certificate as his personal name in
his first life? If I ever had reason to doubt, I would not be satified
with what appears to be an exercise in ritual purity. 

Paul E Condon           

Reply to: