[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Williams wrote: > >>The one he signs the GNUPG distro with ! > > > All you need is a good signature by the right key, not the right person. If > the fingerprint of the key in your keyring matches that on gnupg.org AND you > get a good signature when you validate the files, why does it matter if you > trust the person as a physical being? You aren't signing his key. Because anyone smart enough to trojan a GPG distribution would probably put the finger print of the fake key they used to sign it on the website, when they upload the trojaned version. You'd sign the fake key with a few random fake keys for well known crytopgraphers, and IT types, it looks genuine enough, hell it probably isn't that hard to get this fake group into the web of trust, although it would be a sparsely connected group (unlike Bradley and Werner who both make the top 50). It is acceptable to trust the key if a lot of posts on public mailing lists have used the key and no one has queried their authenticity already. Although it would be possible to hack mailing list archives servers and resign the posts in the archive with a fake key. So ultimately I'm just pushing up the ante required to defeat my verification attempts. I agree I'm being super paranoid, but only because I was curious about the scope of the web of trust, not because I think I'm running a trojan GPG, if I really thought that I'd have to fall back to a "known" good version. Beside the smart money is backing compromising Werner's key ;-) -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/MEteGFXfHI9FVgYRAkE4AKCtTsRBdPvtG5W63on7d5Sdqy3WhgCdFG+A XTeC9vgCSn5ZQ/H05KTIll0= =f7ie -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.