Re: TLS encrypted source for Debian iso signing keys?

To: debian-user@lists.debian.org
Subject: Re: TLS encrypted source for Debian iso signing keys?
From: Jochen Spieker <ml@well-adjusted.de>
Date: Mon, 2 Jul 2012 22:49:14 +0200
Message-id: <[🔎] 20120702204913.GC3484@well-adjusted.de>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 1341254055.13900.140661096906105.78EE7013@webmail.messagingengine.com>
References: <[🔎] 1341254055.13900.140661096906105.78EE7013@webmail.messagingengine.com>

anotst01@fastmail.fm:
>
> Is there any TLS encrypted source for downloading the Debian iso signing
> keys?

None that I know of, but I don't see a need for that either. Sure, you
could use one of the built-in certificates in your browser to bootstrap
the chain of trust to the signing keys. But that's not how PGP is
designed. If you don't own a PGP key that is somehow connected to the
Debian signing key, you can do something like this:

- Fetch the ISO + signature file (MD5SUMS, MD5SUMS.sign)
- Fetch the key used to sign the ISO and verify the signature
- See how this key is connected to other keys you may have reason to
  trust (e.g. because you already have software installed that is signed
  by a key that also signed the key used to sign the ISO)

The last step is a little awkward and unfortunately I didn't find a
(functional) web page that helps in tracking down trust paths easily.
The sites I found are either broken or use a hopelessly outdated key
set.

On the other hand, the model used by SSL/TLS depends on you trusting all
of the various, mostly unknown entities that somehow managed to have
their certificate shipped by your browser vendor. Remember that there's
no limit on which sites a certificate my sign. The past two years have
shown that this security model does not deserve as much trust as people
put into it.

> If the answer is no, which were to correct component to file a bug
> against?

If I were to file this bug I would report it against d-i. But I don't
think it will be solved in a satisfying way for you.

What I find more interesting is that the key 0x6294BE9B ("Debian CD
signing key") only has nine signatures and only one from someone using
his "official" @debian org address (0x3442684E, Steve McIntyre). That
could surely be improved. I am a little bit disappointed to learn that
even my fairly well-connected key doesn't help in finding a trust path
to the CD signing key.

J.
-- 
If politics is the blind leading the blind, entertainment is the fucked-
up leading the hypnotised.
[Agree]   [Disagree]
                 <http://www.slowlydownward.com/NODATA/data_enter2.html>

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: TLS encrypted source for Debian iso signing keys?
  - From: Roger Leigh <rleigh@codelibre.net>

References:
- TLS encrypted source for Debian iso signing keys?
  - From: anotst01@fastmail.fm

Prev by Date: Re: ot: slightly, is debian tied to a nonprofit?
Next by Date: Re: TLS encrypted source for Debian iso signing keys?
Previous by thread: Re: TLS encrypted source for Debian iso signing keys?
Next by thread: Re: TLS encrypted source for Debian iso signing keys?
Index(es):
- Date
- Thread