Verification via the web of trust

Andrew Gallagher andrewg at
Tue Mar 22 19:43:20 CET 2016

On 22/03/16 18:30, Peter Lebbing wrote:
> On 22/03/16 19:14, Andrew Gallagher wrote:
>> All this is true. But this does not help *me* one iota.
> It sounds to me like you're not looking for the Web of Trust, which is indeed
> very limited in its options. Instead, you are probably looking for something
> more like TOFU, in the sense that this developer whose signature you see is the
> same one whose signature you saw last time.

Only for a project with one developer! Otherwise, the person who signs
it could legitimately change between releases. Large projects often have
a separate release signing key, but not apache it seems...

And at the risk of getting shot down (again), TOFU doesn't work. Not
because TOFU is broken (it's a perfectly valid method), but because
*people* are broken. How many times have you blithely clicked through an
ssh "WARNING: the remote host key has changed!" prompt? ;-)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160322/c79c6ac8/attachment.sig>

More information about the Gnupg-users mailing list