D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Graphical representation of the DCLUG keyring



On Tuesday 05 Aug 2003 11:35 am, Simon Waters wrote:
> Neil Williams wrote:
> > You might trust Werner, but which Werner? I have had 7-8 keys for
> Werner in my
> > keyring at one time or another and some have recently expired.
>
> The one he signs the GNUPG distro with !

All you need is a good signature by the right key, not the right person. If 
the fingerprint of the key in your keyring matches that on gnupg.org AND you 
get a good signature when you validate the files, why does it matter if you 
trust the person as a physical being? You aren't signing his key.

If everyone had to verify the physical person Werner Koch, he'd have enough 
Air Miles to own BA. (not hard at the mo.)
:-))

Trusting Werner as a person is about verifying the email address and the 
physical face with proper ID. This is incredibly unlikely for 99% of all 
GnuPG users who download the software. 

> Hmm the issue here is establishing the validity of the software, it
> could have been tampered (almost certainly Debian developers "tampered"
> to repackage it), so the Debian maintainer must "trust" Werner or how
> else did he verify he has the right GNUPG. I've implicitly trusted those
> Debian developers (and probably too much else beside).

Werner signs lots of Debian rings keys. All you need is to see a valid 
signature by Werner on the key of the person signing the package.

> Of course they might have taken the argument that Werner would have
> complained about someone claiming to be him posting to the GNUPG lists
> so much overthe years ;-)

Sure, it'd be nice to have a strong trust in Werner's key before hand, but 
isn't that a chicken-and-egg scenario? You can't build a web-of-trust until 
you've had your key signed.

[neil@xxxxx targz]$ gpg --verify cryptplug-0.3.15.tar.gz.sig
gpg: Signature made Thu 05 Dec 2002 09:13:11 GMT using DSA key ID 57548DCD
gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@xxxxxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD

The warning is there to make sure you at least verify the fingerprint via 
another means.

http://www.gnupg.org/(en)/download/integrity_check.html
Make sure that you have the right key, either by checking the fingerprint of 
that key with other sources or by checking that the key has been signed by a 
trustworthy other key.

http://www.gnupg.org/(en)/signature_key.html
pub  1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) 
     Key fingerprint = 6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD

In 99% of cases, the fingerprint will have to suffice. Essentially, you are 
only checking that you've got the right file and using the signature as a 
better sum check than md5. (Doesn't hurt to check the md5 too, mind.)


-- 

Neil Williams
=============
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.biglumber.com/x/web?sn=Neil+Williams

Attachment: pgp00006.pgp
Description: signature


Lynx friendly