Re: TLS encrypted source for Debian iso signing keys?

To: debian-user@lists.debian.org
Subject: Re: TLS encrypted source for Debian iso signing keys?
From: John Hasler <jhasler@newsguy.com>
Date: Tue, 03 Jul 2012 16:35:53 -0500
Message-id: <[🔎] 87ehosr0hy.fsf@thumper.dhh.gt.org>
Reply-to: john@dhh.gt.org (John Hasler)
In-reply-to: <[🔎] 20120703205407.GA13026@aurora.owens.net> (Rob Owens's message of "Tue, 3 Jul 2012 16:54:07 -0400")
References: <[🔎] 1341254055.13900.140661096906105.78EE7013@webmail.messagingengine.com> <[🔎] 20120703205407.GA13026@aurora.owens.net>

Rob writes:
> Basically you can use the debian-keyring package to obtain keys of
> many Debian developers.  You can have a high level of trust that those
> keys are real because the package is signed and apt-get would notify
> you if the signature was not real.  The iso you are downloading should
> be signed by someone in that keyring.

The problem with this is that it lacks an out-of-band channel.  A
sufficiently dedicated m-i-t-m could nobble everything.

Of course, if you downloaded your browser he could have nobbled the keys
in it too, so TLS does you no good unless you got your keys via a
channel you can be sure is not controlled by the m-i-t-m that causes you
not to trust the Debian keyring...

Perhaps you could pay Steve to burn a CDs for you and then have a bonded
courier service pick it up and deliver it to you.
-- 
John Hasler

Reply to:

References:
- TLS encrypted source for Debian iso signing keys?
  - From: anotst01@fastmail.fm
- Re: TLS encrypted source for Debian iso signing keys?
  - From: Rob Owens <rowens@ptd.net>

Prev by Date: Re: No Sound Card found on Testing Install
Next by Date: Re: OT: need a simple CMS / website builder
Previous by thread: Re: TLS encrypted source for Debian iso signing keys?
Next by thread: Re: TLS encrypted source for Debian iso signing keys?
Index(es):
- Date
- Thread