How to find and verify a trust path?

Philip Jägenstedt philip at foolip.org
Wed Sep 18 23:37:01 CEST 2013


On Wed, Sep 18, 2013 at 10:23 PM, Peter Lebbing <peter at digitalbrains.com> wrote:
> On 18/09/13 22:14, � wrote:
>> If I assume that the Wayback Machine isn't part of a conspiracy against me
>
> I don't see how this is different than not verifying at all and "assuming
> gnupg.org isn't part of a conspiracy against me".

It's one more server which would have to be under the attacker's
control, in addition to gnupg.org, Google cache, mailing list mirrors
and whatever else one might find.

> What is your thread model?

When checking the GnuPG dist sig key, the risk is some third party
modifying the source, i.e. that the code I'm getting is not from the
same origin as all the gpg binaries everyone else is using and
trusting with their secrets.

> Alternatively, if you use a Linux distro: simply install it with the package
> manager. You already implicitly trust that anyway. If somebody got inside the
> package manager, they don't need to bother to attack GnuPG specifically.
>
> I suppose technically you're also trusting the maintainer for the package. No
> worse than trusting any other maintainer, I think. They all have access to the
> binaries you run.

I wanted to try 2.1.0beta3 which isn't in Debian testing, but using
the package manager (which I trust) as yet another cross-check sounds
reasonable, if some package happened to include the dist sig key, but
I haven't found it.

While imperfect, checks like these might have to suffice until I can
use the web of trust to establish key validity instead.

-- 
Philip Jägenstedt



More information about the Gnupg-users mailing list