Re: Signature debian CDs
on 20:46 Mon 21 Mar, Dan (ganchya@gmail.com) wrote:
> On Mon, Mar 21, 2011 at 6:57 PM, Dr. Ed Morbius <dredmorbius@gmail.com> wrote:
> > on 22:48 Mon 21 Mar, Andrei Popescu (andreimpopescu@gmail.com) wrote:
> >> On Lu, 21 mar 11, 13:33:16, Dan wrote:
> >> > Hi,
> >> >
> >> > I downloaded the netinst CD image for the installation of debian. I
> >> > have an Ubuntu computer where I checked the md5sum and the sha1sum. I
> >> > also tried to check the signature doing the following:
> >> > gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
> >> > gpg --verify MD5SUMS.sign MD5SUMS
> >> >
> >> > Is this the right procedure?
> >>
> >> Yes
> >>
> >> > I get a warning:
> >> > gpg: WARNING: This key is not certified with a trusted signature!
> >> > gpg: There is no indication that the signature belongs to the owner.
> >>
> >> GPG is warning you that it can't find a trust path from a key you trust
> >> (usually your own) to the key used to sign that file.
> >
> > Expanding on this:
> >
> > The signature is valid (it cryptographically matches the signing key),
> > but identity is unverified, based on your (OP's) trust path.
> >
> > You've got an assurance that the file contents haven't been changed
> > since they were signed, but no definite assurance of the key's
> > identity.
> >
> > This has been recently discussed on this list.
>
> Thanks for your answer,
> I read the previous thread. I am looking at the GPG scheme to
> understand it better.
Simply (and imperfectly): PGP PKI (and as implemented: gnupg) provide
three basic services:
Encryption: a message may be encrypted to a person's public key. No
"shared secret" need be known (the sender cannot even decrypt her
message unless she's also encrypted it against /her/ public key).
Integrity: signing a message demonstrates that it has not been modified
since it was signed. The signer may or may not be the author of the
message (as noted here earlier).
Identification: an entity is cryptographically likely to be who they
claim to be, /if/ you can establish a web of trust between yourself
and that person's public key. This differs from the SSL/TLS model
in which "certificate authorities" are responsible for
authenticating a particular individual (or not). Note that the PGP
keysigning model usually /does/ rely in part at least on some
"certificate authority", usually a motor vehicles or passport
agency, to provide photo ID which is verified, though different
individuals follow different signing protocols.
In addition to the link above, you might want to look at some keysigning
protocols:
https://secure.wikimedia.org/wikipedia/en/wiki/Key_signing_party
http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
--
Dr. Ed Morbius, Chief Scientist / |
Robot Wrangler / Staff Psychologist | When you seek unlimited power
Krell Power Systems Unlimited | Go to Krell!
Reply to: